[ntp:security] findpeer()

Danny Mayer mayer at pdmconsulting.net
Wed Jan 20 02:47:21 UTC 2016


On 1/19/2016 6:54 PM, Harlan Stenn wrote:
> ntp_peer.c's findpeer() function takes 3 arguments:
> 
> struct peer *
> findpeer(
>         struct recvbuf *rbufp,
>         int             pkt_mode,
>         int *           action
>         )
> {
> 
> pkt_mode seems to be the cleaned-up mode from rbufp->recv_pkt, in
> ntp_proto.c
> 
> Apparently we do inadequate cleaning of the previous good packet in the
> peer_hash because line 301 of ntp_peer.c (in findpeer()) is:
> 
>        *action = MATCH_ASSOC(p->hmode, pkt_mode);
> 
> and that indexes into a 7x7 array.  p->hmode can be a much bigger
> number, apparently.

Well that piece of data comes from:

hismode = (int)PKT_MODE(pkt->li_vn_mode);

and consists only of 3 bits according to the RFC and I see nothing in
ntp_proto.c that would change this value. Did I miss something?

Danny




More information about the security mailing list