[ntp:security] findpeer()
Danny Mayer
mayer at pdmconsulting.net
Wed Jan 20 02:47:21 UTC 2016
On 1/19/2016 6:54 PM, Harlan Stenn wrote:
> ntp_peer.c's findpeer() function takes 3 arguments:
>
> struct peer *
> findpeer(
> struct recvbuf *rbufp,
> int pkt_mode,
> int * action
> )
> {
>
> pkt_mode seems to be the cleaned-up mode from rbufp->recv_pkt, in
> ntp_proto.c
>
> Apparently we do inadequate cleaning of the previous good packet in the
> peer_hash because line 301 of ntp_peer.c (in findpeer()) is:
>
> *action = MATCH_ASSOC(p->hmode, pkt_mode);
>
> and that indexes into a 7x7 array. p->hmode can be a much bigger
> number, apparently.
Well that piece of data comes from:
hismode = (int)PKT_MODE(pkt->li_vn_mode);
and consists only of 3 bits according to the RFC and I see nothing in
ntp_proto.c that would change this value. Did I miss something?
Danny
More information about the security
mailing list