2017-02-12 09:49:29+01:00, perlinger@ntp.org
  [Sec 3389] NTP-01-016: Denial of Service via Malformed Config

diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config.c
--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464	2017-03-22 12:54:11.257454635 +0100
+++ ntp-4.2.6p5/ntpd/ntp_config.c	2017-03-22 12:57:06.919024166 +0100
@@ -311,6 +311,9 @@ void ntpd_set_tod_using(const char *);
 static u_int32 get_pfxmatch(const char **, struct masks *);
 static u_int32 get_match(const char *, struct masks *);
 static u_int32 get_logmask(const char *);
+static int/*BOOL*/ is_refclk_addr(const struct address_node * addr);
+
+
 static int getnetnum(const char *num,sockaddr_u *addr, int complain,
 		     enum gnn_type a_type);
 static int get_multiple_netnums(const char *num, sockaddr_u *addr,
@@ -1342,7 +1344,10 @@ create_peer_node(
 			break;
 
 		case T_Ttl:
-			if (my_node->ttl >= MAX_TTL) {
+			if (is_refclk_addr(addr)) {
+				msyslog(LOG_ERR, "'ttl' does not apply for refclocks");
+				errflag = 1;
+			} else if (option->value.i < 0 || option->value.i >= MAX_TTL) {
 				msyslog(LOG_ERR, "ttl: invalid argument");
 				errflag = 1;
 			}
@@ -1351,7 +1355,12 @@ create_peer_node(
 			break;
 
 		case T_Mode:
-			my_node->ttl = option->value.i;
+			if (is_refclk_addr(addr)) {
+				my_node->ttl = option->value.i;
+			} else {
+				msyslog(LOG_ERR, "'mode' does not apply for network peers");
+				errflag = 1;
+			}
 			break;
 
		case T_Key:
@@ -2674,6 +2685,16 @@ apply_enable_disable(
 	}
 }
 
+/* Hack to disambiguate 'server' statements for refclocks and network peers.
+ * Please note the qualification 'hack'. It's just that.
+ */
+static int/*BOOL*/
+is_refclk_addr(
+	const struct address_node * addr
+	)
+{
+	return addr && addr->address && !strncmp(addr->address, "127.127.", 8);
+}
 
 static void
 config_system_opts(
@@ -2920,7 +2941,9 @@ config_ttl(
 
 		curr_ttl = next_node(curr_ttl);
 	}
-	sys_ttlmax = i - 1;
+
+	if (i)
+		sys_ttlmax = i - 1;
 }
 
 
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464	2017-03-22 12:54:11.270454677 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2017-03-22 12:54:11.279454706 +0100
@@ -3017,8 +3017,9 @@ peer_xmit(
 			}
 		}
 		peer->t21_bytes = sendlen;
-		sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
-		    &xpkt, sendlen);
+		sendpkt(&peer->srcadr, peer->dstadr,
+			sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
+			&xpkt, sendlen);
 		peer->sent++;
 		peer->throttle += (1 << peer->minpoll) - 2;
 
@@ -3330,8 +3331,9 @@ peer_xmit(
 		exit (-1);
 	}
 	peer->t21_bytes = sendlen;
-	sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,
-	    sendlen);
+	sendpkt(&peer->srcadr, peer->dstadr,
+		sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
+		&xpkt, sendlen);
 	peer->sent++;
 	peer->throttle += (1 << peer->minpoll) - 2;