Blob Blame History Raw
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974	2016-01-21 14:06:18.958346184 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2016-01-21 14:16:34.894828262 +0100
@@ -674,10 +674,13 @@ receive(
 		 * succeed in bloating the key cache. If an autokey,
 		 * purge it immediately, since we won't be needing it
 		 * again. If the packet is authentic, it can mobilize an
-		 * association. Note that there is no key zero.
+		 * association. If it's a persistent association using a
+		 * symmetric key, the key ID has to match the configured
+		 * value. Note that there is no key zero. 
 		 */
-		if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
-		    has_mac))
+		if ((peer && !(peer->flags & FLAG_PREEMPT) &&
+		     peer->keyid <= NTP_MAXKEY && skeyid != peer->keyid) ||
+		    !authdecrypt(skeyid, (u_int32 *)pkt, authlen, has_mac))
 			is_authentic = AUTH_ERROR;
 		else
 			is_authentic = AUTH_OK;