|
 |
6e16f6 |
2017-02-12 09:49:29+01:00, perlinger@ntp.org
|
|
|
6e16f6 |
[Sec 3389] NTP-01-016: Denial of Service via Malformed Config
|
|
|
6e16f6 |
|
|
|
6e16f6 |
diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config.c
|
|
|
6e16f6 |
--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 2017-03-22 12:54:11.257454635 +0100
|
|
|
6e16f6 |
+++ ntp-4.2.6p5/ntpd/ntp_config.c 2017-03-22 12:57:06.919024166 +0100
|
|
|
6e16f6 |
@@ -311,6 +311,9 @@ void ntpd_set_tod_using(const char *);
|
|
|
6e16f6 |
static u_int32 get_pfxmatch(const char **, struct masks *);
|
|
|
6e16f6 |
static u_int32 get_match(const char *, struct masks *);
|
|
|
6e16f6 |
static u_int32 get_logmask(const char *);
|
|
|
6e16f6 |
+static int/*BOOL*/ is_refclk_addr(const struct address_node * addr);
|
|
|
6e16f6 |
+
|
|
|
6e16f6 |
+
|
|
|
6e16f6 |
static int getnetnum(const char *num,sockaddr_u *addr, int complain,
|
|
|
6e16f6 |
enum gnn_type a_type);
|
|
|
6e16f6 |
static int get_multiple_netnums(const char *num, sockaddr_u *addr,
|
|
|
6e16f6 |
@@ -1342,7 +1344,10 @@ create_peer_node(
|
|
|
6e16f6 |
break;
|
|
|
6e16f6 |
|
|
|
6e16f6 |
case T_Ttl:
|
|
|
6e16f6 |
- if (my_node->ttl >= MAX_TTL) {
|
|
|
6e16f6 |
+ if (is_refclk_addr(addr)) {
|
|
|
6e16f6 |
+ msyslog(LOG_ERR, "'ttl' does not apply for refclocks");
|
|
|
6e16f6 |
+ errflag = 1;
|
|
|
6e16f6 |
+ } else if (option->value.i < 0 || option->value.i >= MAX_TTL) {
|
|
|
6e16f6 |
msyslog(LOG_ERR, "ttl: invalid argument");
|
|
|
6e16f6 |
errflag = 1;
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
@@ -1351,7 +1355,12 @@ create_peer_node(
|
|
|
6e16f6 |
break;
|
|
|
6e16f6 |
|
|
|
6e16f6 |
case T_Mode:
|
|
|
6e16f6 |
- my_node->ttl = option->value.i;
|
|
|
6e16f6 |
+ if (is_refclk_addr(addr)) {
|
|
|
6e16f6 |
+ my_node->ttl = option->value.i;
|
|
|
6e16f6 |
+ } else {
|
|
|
6e16f6 |
+ msyslog(LOG_ERR, "'mode' does not apply for network peers");
|
|
|
6e16f6 |
+ errflag = 1;
|
|
|
6e16f6 |
+ }
|
|
|
6e16f6 |
break;
|
|
|
6e16f6 |
|
|
|
6e16f6 |
case T_Key:
|
|
|
6e16f6 |
@@ -2674,6 +2685,16 @@ apply_enable_disable(
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
|
|
|
6e16f6 |
+/* Hack to disambiguate 'server' statements for refclocks and network peers.
|
|
|
6e16f6 |
+ * Please note the qualification 'hack'. It's just that.
|
|
|
6e16f6 |
+ */
|
|
|
6e16f6 |
+static int/*BOOL*/
|
|
|
6e16f6 |
+is_refclk_addr(
|
|
|
6e16f6 |
+ const struct address_node * addr
|
|
|
6e16f6 |
+ )
|
|
|
6e16f6 |
+{
|
|
|
6e16f6 |
+ return addr && addr->address && !strncmp(addr->address, "127.127.", 8);
|
|
|
6e16f6 |
+}
|
|
|
6e16f6 |
|
|
|
6e16f6 |
static void
|
|
|
6e16f6 |
config_system_opts(
|
|
|
6e16f6 |
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c
|
|
|
6e16f6 |
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 2017-03-22 12:54:11.270454677 +0100
|
|
|
6e16f6 |
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2017-03-22 12:54:11.279454706 +0100
|
|
|
6e16f6 |
@@ -3017,8 +3017,9 @@ peer_xmit(
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
peer->t21_bytes = sendlen;
|
|
|
6e16f6 |
- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
|
|
|
6e16f6 |
- &xpkt, sendlen);
|
|
|
6e16f6 |
+ sendpkt(&peer->srcadr, peer->dstadr,
|
|
|
6e16f6 |
+ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
|
|
|
6e16f6 |
+ &xpkt, sendlen);
|
|
|
6e16f6 |
peer->sent++;
|
|
|
6e16f6 |
peer->throttle += (1 << peer->minpoll) - 2;
|
|
|
6e16f6 |
|
|
|
6e16f6 |
@@ -3330,8 +3331,9 @@ peer_xmit(
|
|
|
6e16f6 |
exit (-1);
|
|
|
6e16f6 |
}
|
|
|
6e16f6 |
peer->t21_bytes = sendlen;
|
|
|
6e16f6 |
- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,
|
|
|
6e16f6 |
- sendlen);
|
|
|
6e16f6 |
+ sendpkt(&peer->srcadr, peer->dstadr,
|
|
|
6e16f6 |
+ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
|
|
|
6e16f6 |
+ &xpkt, sendlen);
|
|
|
6e16f6 |
peer->sent++;
|
|
|
6e16f6 |
peer->throttle += (1 << peer->minpoll) - 2;
|
|
|
6e16f6 |
|