[ntp:security] [Pool] NTP CVE patches?

Miroslav Lichvar mlichvar at redhat.com
Fri Oct 23 05:23:00 UTC 2015


On Thu, Oct 22, 2015 at 10:05:43PM -0400, Danny Mayer wrote:
> This looks wrong. If you fail the origin timestamp test then the packet
> is now dropped immediately and it never gets to the RATE KoD test. 

Yes and that's what breaks the peering.

> If it
> does get to the RATE KoD test then the Origin Timestamp is valid. If
> it's a RATE KoD then it obeys the backoff but all KoD's must be dropped.
> I think you missed the fact that the failure of TEST2 now causes it to
> immediately drop the packet. See the returns on line 1343 and 1365.

Yes, with TEST2 it doesn't get to the KoD test, but with TEST3 it
does.

-- 
Miroslav Lichvar


More information about the security mailing list