|
 |
2b78f7 |
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-1548 ntp-4.2.6p5/ntpd/ntp_proto.c
|
|
|
2b78f7 |
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-1548 2016-04-28 08:37:42.513561354 +0200
|
|
|
2b78f7 |
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-04-28 09:30:59.450347729 +0200
|
|
|
2b78f7 |
@@ -306,6 +306,7 @@ receive(
|
|
|
2b78f7 |
int authlen; /* offset of MAC field */
|
|
|
2b78f7 |
int is_authentic = 0; /* cryptosum ok */
|
|
|
2b78f7 |
int retcode = AM_NOMATCH; /* match code */
|
|
|
2b78f7 |
+ int xleave_mismatch = 0; /* mismatch in xleave mode */
|
|
|
2b78f7 |
keyid_t skeyid = 0; /* key IDs */
|
|
|
2b78f7 |
u_int32 opcode = 0; /* extension field opcode */
|
|
|
2b78f7 |
sockaddr_u *dstadr_sin; /* active runway */
|
|
|
2b78f7 |
@@ -1067,9 +1068,8 @@ receive(
|
|
|
2b78f7 |
}
|
|
|
2b78f7 |
|
|
|
2b78f7 |
/*
|
|
|
2b78f7 |
- * Check for bogus packet in basic mode. If found, switch to
|
|
|
2b78f7 |
- * interleaved mode and resynchronize, but only after confirming
|
|
|
2b78f7 |
- * the packet is not bogus in symmetric interleaved mode.
|
|
|
2b78f7 |
+ * Check for bogus packet in basic mode. If found, check if it's not
|
|
|
2b78f7 |
+ * a valid packet in symmetric interleaved mode.
|
|
|
2b78f7 |
*/
|
|
|
2b78f7 |
} else if (peer->flip == 0) {
|
|
|
2b78f7 |
if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) {
|
|
|
2b78f7 |
@@ -1077,8 +1077,7 @@ receive(
|
|
|
2b78f7 |
peer->flash |= TEST2; /* bogus */
|
|
|
2b78f7 |
if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
|
|
|
2b78f7 |
&peer->dst)) {
|
|
|
2b78f7 |
- peer->flip = 1;
|
|
|
2b78f7 |
- report_event(PEVNT_XLEAVE, peer, NULL);
|
|
|
2b78f7 |
+ xleave_mismatch = 1;
|
|
|
2b78f7 |
}
|
|
|
2b78f7 |
} else {
|
|
|
2b78f7 |
L_CLR(&peer->aorg);
|
|
|
2b78f7 |
@@ -1152,6 +1151,16 @@ receive(
|
|
|
2b78f7 |
}
|
|
|
2b78f7 |
|
|
|
2b78f7 |
/*
|
|
|
2b78f7 |
+ * If the packet is bogus in basic mode but not in symmetric
|
|
|
2b78f7 |
+ * interleaved mode and it passed the authentication check,
|
|
|
2b78f7 |
+ * enable the mode and resynchronize.
|
|
|
2b78f7 |
+ */
|
|
|
2b78f7 |
+ if (xleave_mismatch && hismode == MODE_ACTIVE) {
|
|
|
2b78f7 |
+ peer->flip = 1;
|
|
|
2b78f7 |
+ report_event(PEVNT_XLEAVE, peer, NULL);
|
|
|
2b78f7 |
+ }
|
|
|
2b78f7 |
+
|
|
|
2b78f7 |
+ /*
|
|
|
2b78f7 |
* Update the state variables.
|
|
|
2b78f7 |
*/
|
|
|
2b78f7 |
if (peer->flip == 0) {
|
|
|
2b78f7 |
@@ -1715,5 +1723,12 @@ clock_update(
|
|
|
2b78f7 |
sys_rootdelay = peer->delay + peer->rootdelay;
|
|
|
2b78f7 |
sys_reftime = peer->dst;
|
|
|
2b78f7 |
+
|
|
|
2b78f7 |
+ /* Randomize the fraction part of the reference time to not reveal
|
|
|
2b78f7 |
+ peer->dst to NTP clients as it could be used in a DoS attack
|
|
|
2b78f7 |
+ enabling the symmetric interleaved mode with spoofed packets */
|
|
|
2b78f7 |
+ ntp_crypto_random_buf(&sys_reftime.l_uf, sizeof (sys_reftime.l_uf));
|
|
|
2b78f7 |
+ if (L_ISHIS(&sys_reftime, &peer->dst))
|
|
|
2b78f7 |
+ sys_reftime.l_ui--;
|
|
|
2b78f7 |
|
|
|
2b78f7 |
#ifdef DEBUG
|
|
|
2b78f7 |
if (debug)
|