[ntp:security] [Pool] NTP CVE patches?

Miroslav Lichvar mlichvar at redhat.com
Fri Oct 23 05:23:00 UTC 2015

On Thu, Oct 22, 2015 at 10:05:43PM -0400, Danny Mayer wrote:
> This looks wrong. If you fail the origin timestamp test then the packet
> is now dropped immediately and it never gets to the RATE KoD test. 

Yes and that's what breaks the peering.

> If it
> does get to the RATE KoD test then the Origin Timestamp is valid. If
> it's a RATE KoD then it obeys the backoff but all KoD's must be dropped.
> I think you missed the fact that the failure of TEST2 now causes it to
> immediately drop the packet. See the returns on line 1343 and 1365.

Yes, with TEST2 it doesn't get to the KoD test, but with TEST3 it

Miroslav Lichvar

More information about the security mailing list