|
 |
2b78f7 |
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 ntp-4.2.6p5/ntpd/ntp_proto.c
|
|
|
2b78f7 |
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 2016-11-21 16:14:42.804048665 +0100
|
|
|
2b78f7 |
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-11-21 17:32:45.619107824 +0100
|
|
|
2b78f7 |
@@ -473,30 +473,7 @@ receive(
|
|
|
2b78f7 |
}
|
|
|
2b78f7 |
|
|
|
2b78f7 |
/*
|
|
|
2b78f7 |
- * Update the MRU list and finger the cloggers. It can be a
|
|
|
2b78f7 |
- * little expensive, so turn it off for production use.
|
|
|
2b78f7 |
- */
|
|
|
2b78f7 |
- restrict_mask = ntp_monitor(rbufp, restrict_mask);
|
|
|
2b78f7 |
- if (restrict_mask & RES_LIMITED) {
|
|
|
2b78f7 |
- sys_limitrejected++;
|
|
|
2b78f7 |
- if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
|
|
|
2b78f7 |
- hismode || MODE_SERVER == hismode)
|
|
|
2b78f7 |
- return; /* rate exceeded */
|
|
|
2b78f7 |
-
|
|
|
2b78f7 |
- if (hismode == MODE_CLIENT)
|
|
|
2b78f7 |
- fast_xmit(rbufp, MODE_SERVER, skeyid,
|
|
|
2b78f7 |
- restrict_mask);
|
|
|
2b78f7 |
- else
|
|
|
2b78f7 |
- fast_xmit(rbufp, MODE_ACTIVE, skeyid,
|
|
|
2b78f7 |
- restrict_mask);
|
|
|
2b78f7 |
- return; /* rate exceeded */
|
|
|
2b78f7 |
- }
|
|
|
2b78f7 |
- restrict_mask &= ~RES_KOD;
|
|
|
2b78f7 |
-
|
|
|
2b78f7 |
- /*
|
|
|
2b78f7 |
- * We have tossed out as many buggy packets as possible early in
|
|
|
2b78f7 |
- * the game to reduce the exposure to a clogging attack. now we
|
|
|
2b78f7 |
- * have to burn some cycles to find the association and
|
|
|
2b78f7 |
+ * now we have to burn some cycles to find the association and
|
|
|
2b78f7 |
* authenticate the packet if required. Note that we burn only
|
|
|
2b78f7 |
* MD5 cycles, again to reduce exposure. There may be no
|
|
|
2b78f7 |
* matching association and that's okay.
|
|
|
2b78f7 |
@@ -519,6 +496,27 @@ receive(
|
|
|
2b78f7 |
NTOHL_FP(&pkt->xmt, &p_xmt);
|
|
|
2b78f7 |
|
|
|
2b78f7 |
/*
|
|
|
2b78f7 |
+ * Update the MRU list and finger the cloggers. It can be a
|
|
|
2b78f7 |
+ * little expensive, so turn it off for production use.
|
|
|
2b78f7 |
+ */
|
|
|
2b78f7 |
+ restrict_mask = ntp_monitor(rbufp, restrict_mask);
|
|
|
2b78f7 |
+ if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) {
|
|
|
2b78f7 |
+ sys_limitrejected++;
|
|
|
2b78f7 |
+ if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
|
|
|
2b78f7 |
+ hismode || MODE_SERVER == hismode)
|
|
|
2b78f7 |
+ return; /* rate exceeded */
|
|
|
2b78f7 |
+
|
|
|
2b78f7 |
+ if (hismode == MODE_CLIENT)
|
|
|
2b78f7 |
+ fast_xmit(rbufp, MODE_SERVER, skeyid,
|
|
|
2b78f7 |
+ restrict_mask);
|
|
|
2b78f7 |
+ else
|
|
|
2b78f7 |
+ fast_xmit(rbufp, MODE_ACTIVE, skeyid,
|
|
|
2b78f7 |
+ restrict_mask);
|
|
|
2b78f7 |
+ return; /* rate exceeded */
|
|
|
2b78f7 |
+ }
|
|
|
2b78f7 |
+ restrict_mask &= ~RES_KOD;
|
|
|
2b78f7 |
+
|
|
|
2b78f7 |
+ /*
|
|
|
2b78f7 |
* Authentication is conditioned by three switches:
|
|
|
2b78f7 |
*
|
|
|
2b78f7 |
* NOPEER (RES_NOPEER) do not mobilize an association unless
|
|
|
2b78f7 |
@@ -940,6 +938,10 @@ receive(
|
|
|
2b78f7 |
case AM_NEWPASS:
|
|
|
2b78f7 |
if (!AUTH(sys_authenticate | (restrict_mask &
|
|
|
2b78f7 |
(RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
|
|
|
2b78f7 |
+ if (restrict_mask & RES_LIMITED) {
|
|
|
2b78f7 |
+ sys_limitrejected++;
|
|
|
2b78f7 |
+ return;
|
|
|
2b78f7 |
+ }
|
|
|
2b78f7 |
|
|
|
2b78f7 |
/*
|
|
|
2b78f7 |
* If authenticated but cannot mobilize an
|