2017-02-12 09:49:29+01:00, perlinger@ntp.org [Sec 3389] NTP-01-016: Denial of Service via Malformed Config diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config.c --- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 2017-03-22 12:54:11.257454635 +0100 +++ ntp-4.2.6p5/ntpd/ntp_config.c 2017-03-22 12:57:06.919024166 +0100 @@ -311,6 +311,9 @@ void ntpd_set_tod_using(const char *); static u_int32 get_pfxmatch(const char **, struct masks *); static u_int32 get_match(const char *, struct masks *); static u_int32 get_logmask(const char *); +static int/*BOOL*/ is_refclk_addr(const struct address_node * addr); + + static int getnetnum(const char *num,sockaddr_u *addr, int complain, enum gnn_type a_type); static int get_multiple_netnums(const char *num, sockaddr_u *addr, @@ -1342,7 +1344,10 @@ create_peer_node( break; case T_Ttl: - if (my_node->ttl >= MAX_TTL) { + if (is_refclk_addr(addr)) { + msyslog(LOG_ERR, "'ttl' does not apply for refclocks"); + errflag = 1; + } else if (option->value.i < 0 || option->value.i >= MAX_TTL) { msyslog(LOG_ERR, "ttl: invalid argument"); errflag = 1; } @@ -1351,7 +1355,12 @@ create_peer_node( break; case T_Mode: - my_node->ttl = option->value.i; + if (is_refclk_addr(addr)) { + my_node->ttl = option->value.i; + } else { + msyslog(LOG_ERR, "'mode' does not apply for network peers"); + errflag = 1; + } break; case T_Key: @@ -2674,6 +2685,16 @@ apply_enable_disable( } } +/* Hack to disambiguate 'server' statements for refclocks and network peers. + * Please note the qualification 'hack'. It's just that. + */ +static int/*BOOL*/ +is_refclk_addr( + const struct address_node * addr + ) +{ + return addr && addr->address && !strncmp(addr->address, "127.127.", 8); +} static void config_system_opts( @@ -2920,7 +2941,9 @@ config_ttl( curr_ttl = next_node(curr_ttl); } - sys_ttlmax = i - 1; + + if (i) + sys_ttlmax = i - 1; } diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c --- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 2017-03-22 12:54:11.270454677 +0100 +++ ntp-4.2.6p5/ntpd/ntp_proto.c 2017-03-22 12:54:11.279454706 +0100 @@ -3017,8 +3017,9 @@ peer_xmit( } } peer->t21_bytes = sendlen; - sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], - &xpkt, sendlen); + sendpkt(&peer->srcadr, peer->dstadr, + sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], + &xpkt, sendlen); peer->sent++; peer->throttle += (1 << peer->minpoll) - 2; @@ -3330,8 +3331,9 @@ peer_xmit( exit (-1); } peer->t21_bytes = sendlen; - sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt, - sendlen); + sendpkt(&peer->srcadr, peer->dstadr, + sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], + &xpkt, sendlen); peer->sent++; peer->throttle += (1 << peer->minpoll) - 2;