Blame SOURCES/ntp-4.2.6p5-cve-2016-7426.patch

5bc849
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 ntp-4.2.6p5/ntpd/ntp_proto.c
5bc849
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426	2016-11-21 16:14:42.804048665 +0100
5bc849
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2016-11-21 17:32:45.619107824 +0100
5bc849
@@ -473,30 +473,7 @@ receive(
5bc849
 	}
5bc849
 
5bc849
 	/*
5bc849
-	 * Update the MRU list and finger the cloggers. It can be a
5bc849
-	 * little expensive, so turn it off for production use.
5bc849
-	 */
5bc849
-	restrict_mask = ntp_monitor(rbufp, restrict_mask);
5bc849
-	if (restrict_mask & RES_LIMITED) {
5bc849
-		sys_limitrejected++;
5bc849
-		if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
5bc849
-		    hismode || MODE_SERVER == hismode)
5bc849
-			return;			/* rate exceeded */
5bc849
-
5bc849
-		if (hismode == MODE_CLIENT)
5bc849
-			fast_xmit(rbufp, MODE_SERVER, skeyid,
5bc849
-			    restrict_mask);
5bc849
-		else
5bc849
-			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
5bc849
-			    restrict_mask);
5bc849
-		return;				/* rate exceeded */
5bc849
-	}
5bc849
-	restrict_mask &= ~RES_KOD;
5bc849
-
5bc849
-	/*
5bc849
-	 * We have tossed out as many buggy packets as possible early in
5bc849
-	 * the game to reduce the exposure to a clogging attack. now we
5bc849
-	 * have to burn some cycles to find the association and
5bc849
+	 * now we have to burn some cycles to find the association and
5bc849
 	 * authenticate the packet if required. Note that we burn only
5bc849
 	 * MD5 cycles, again to reduce exposure. There may be no
5bc849
 	 * matching association and that's okay.
5bc849
@@ -519,6 +496,27 @@ receive(
5bc849
 	NTOHL_FP(&pkt->xmt, &p_xmt);
5bc849
 
5bc849
 	/*
5bc849
+	 * Update the MRU list and finger the cloggers. It can be a
5bc849
+	 * little expensive, so turn it off for production use.
5bc849
+	 */
5bc849
+	restrict_mask = ntp_monitor(rbufp, restrict_mask);
5bc849
+	if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) {
5bc849
+		sys_limitrejected++;
5bc849
+		if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
5bc849
+		    hismode || MODE_SERVER == hismode)
5bc849
+			return;			/* rate exceeded */
5bc849
+
5bc849
+		if (hismode == MODE_CLIENT)
5bc849
+			fast_xmit(rbufp, MODE_SERVER, skeyid,
5bc849
+			    restrict_mask);
5bc849
+		else
5bc849
+			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
5bc849
+			    restrict_mask);
5bc849
+		return;				/* rate exceeded */
5bc849
+	}
5bc849
+	restrict_mask &= ~RES_KOD;
5bc849
+
5bc849
+	/*
5bc849
 	 * Authentication is conditioned by three switches:
5bc849
 	 *
5bc849
 	 * NOPEER  (RES_NOPEER) do not mobilize an association unless
5bc849
@@ -940,6 +938,10 @@ receive(
5bc849
 	case AM_NEWPASS:
5bc849
 		if (!AUTH(sys_authenticate | (restrict_mask &
5bc849
 		    (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
5bc849
+			if (restrict_mask & RES_LIMITED) {
5bc849
+				sys_limitrejected++;
5bc849
+				return;
5bc849
+			}
5bc849
 
5bc849
 			/*
5bc849
 			 * If authenticated but cannot mobilize an