2017-02-12 09:49:29+01:00, perlinger@ntp.org

  [Sec 3389] NTP-01-016: Denial of Service via Malformed Config

diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config.c

--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464	2017-03-22 12:54:11.257454635 +0100

+++ ntp-4.2.6p5/ntpd/ntp_config.c	2017-03-22 12:57:06.919024166 +0100

@@ -311,6 +311,9 @@ void ntpd_set_tod_using(const char *);

 static u_int32 get_pfxmatch(const char **, struct masks *);

 static u_int32 get_match(const char *, struct masks *);

 static u_int32 get_logmask(const char *);

+static int/*BOOL*/ is_refclk_addr(const struct address_node * addr);

+

+

 static int getnetnum(const char *num,sockaddr_u *addr, int complain,

 		     enum gnn_type a_type);

 static int get_multiple_netnums(const char *num, sockaddr_u *addr,

@@ -1342,7 +1344,10 @@ create_peer_node(

 			break;

 		case T_Ttl:

-			if (my_node->ttl >= MAX_TTL) {

+			if (is_refclk_addr(addr)) {

+				msyslog(LOG_ERR, "'ttl' does not apply for refclocks");

+				errflag = 1;

+			} else if (option->value.i < 0 || option->value.i >= MAX_TTL) {

 				msyslog(LOG_ERR, "ttl: invalid argument");

 				errflag = 1;

 			}

@@ -1351,7 +1355,12 @@ create_peer_node(

 			break;

 		case T_Mode:

-			my_node->ttl = option->value.i;

+			if (is_refclk_addr(addr)) {

+				my_node->ttl = option->value.i;

+			} else {

+				msyslog(LOG_ERR, "'mode' does not apply for network peers");

+				errflag = 1;

+			}

 			break;

		case T_Key:

@@ -2674,6 +2685,16 @@ apply_enable_disable(

 	}

 }

+/* Hack to disambiguate 'server' statements for refclocks and network peers.

+ * Please note the qualification 'hack'. It's just that.

+ */

+static int/*BOOL*/

+is_refclk_addr(

+	const struct address_node * addr

+	)

+{

+	return addr && addr->address && !strncmp(addr->address, "127.127.", 8);

+}

 static void

 config_system_opts(

@@ -2920,7 +2941,9 @@ config_ttl(

 		curr_ttl = next_node(curr_ttl);

 	}

-	sys_ttlmax = i - 1;

+

+	if (i)

+		sys_ttlmax = i - 1;

 }

diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c

--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464	2017-03-22 12:54:11.270454677 +0100

+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2017-03-22 12:54:11.279454706 +0100

@@ -3017,8 +3017,9 @@ peer_xmit(

 			}

 		}

 		peer->t21_bytes = sendlen;

-		sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],

-		    &xpkt, sendlen);

+		sendpkt(&peer->srcadr, peer->dstadr,

+			sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],

+			&xpkt, sendlen);

 		peer->sent++;

 		peer->throttle += (1 << peer->minpoll) - 2;

@@ -3330,8 +3331,9 @@ peer_xmit(

 		exit (-1);

 	}

 	peer->t21_bytes = sendlen;

-	sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,

-	    sendlen);

+	sendpkt(&peer->srcadr, peer->dstadr,

+		sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],

+		&xpkt, sendlen);

 	peer->sent++;

 	peer->throttle += (1 << peer->minpoll) - 2;