<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

</head>

<body>

<style type="text/css">

img {

max-width: 100%; height: auto;

}

</style>

<div class="content">

<h3>

Daniel Fox Franke pushed to branch master

at <a href="https://gitlab.com/NTPsec/ntpsec">NTPsec / ntpsec</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://gitlab.com/NTPsec/ntpsec/commit/4911e2df0c54414a539685545780168757879434">4911e2df</a></strong>

<div>

<span>by Daniel Fox Franke</span>

<i>at 2016-11-23T16:30:34-05:00</i>

</div>

<pre class="commit-message" style="margin: 0; white-space: pre-wrap">Fix authentication

This corrects two evil bugs, one of which was introduced during the

protocol refactor.  That one would have been a vulnerability but

fortunately 1. the other was masking it, and 2. this bug never made

it in a release. Phew.

First bug: missing exit after failed authentication, which would have

allowed misauthenticated packets to be accepted. Yikes!

Second bug: Even correctly authenticated packets were getting rejected

by different security check. handle_procpkt() checks that there's a

request in flight before it's willing to process any response. But due

to a bug that predates the fork from NTP Classic, authenticated

requests never got their outcount incremented.

This is why we test things...

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#a9eeb2d7f139fd99254bacd1e507b63de174c843" style="text-decoration: none">

ntpd/ntp_proto.c

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="a9eeb2d7f139fd99254bacd1e507b63de174c843">

<a href="https://gitlab.com/NTPsec/ntpsec/commit/4911e2df0c54414a539685545780168757879434#a9eeb2d7f139fd99254bacd1e507b63de174c843"><strong>ntpd/ntp_proto.c</strong></a>

<hr>

<table class="code white" style="-premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%; background: #fff; font-family: monospace; font-size: 13px" bgcolor="#fff" width="100%" cellpadding="0" cellspacing="0">

<tr class="line_holder match" style="line-height: 1.5">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="787" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="787" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match " style="background: #fafafa; color: rgba(0,0,0,0.3); padding-left: 0.5em; padding-right: 0.5em" bgcolor="#fafafa">@@ -787,6 +787,7 @@ receive(</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="787" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

787

</td>

<td class="diff-line-num new_line" data-linenumber="787" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

787

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC787" class="line">                         <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">badauth</span><span class="o" style="font-weight: bold">++</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="788" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

788

</td>

<td class="diff-line-num new_line" data-linenumber="788" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

788

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC788" class="line">                         <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">flash</span> <span class="o" style="font-weight: bold">|=</span> <span class="n" style="color: #333">BOGON5</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="789" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

789

</td>

<td class="diff-line-num new_line" data-linenumber="789" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

789

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC789" class="line">                 <span class="p">}</span></span>

</pre>

</td>

</tr>

<tr class="line_holder new" style="line-height: 1.5">

<td class="diff-line-num new old_line" data-linenumber="790" style="background: #ddfbe6; border-right-color: #c7f0d2; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="790" style="background: #ddfbe6; border-right-color: #c7f0d2; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#ddfbe6">

790

</td>

<td class="line_content new noteable_line" style="background: #ecfdf0; padding-left: 0.5em; padding-right: 0.5em" bgcolor="#ecfdf0">

<pre style="margin: 0"><span id="LC790" class="line">                 <span class="k" style="font-weight: bold">goto</span> <span class="n" style="color: #333">done</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="790" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

790

</td>

<td class="diff-line-num new_line" data-linenumber="791" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

791

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC791" class="line">         <span class="p">}</span> <span class="k" style="font-weight: bold">else</span> <span class="p">{</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="791" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

791

</td>

<td class="diff-line-num new_line" data-linenumber="792" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

792

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC792" class="line">                 <span class="n" style="color: #333">authenticated</span> <span class="o" style="font-weight: bold">=</span> <span class="nb" style="color: #0086b3">true</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="792" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

792

</td>

<td class="diff-line-num new_line" data-linenumber="793" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

793

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC793" class="line">         <span class="p">}</span></span>

</pre>

</td>

</tr>

<tr class="line_holder match" style="line-height: 1.5">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="2228" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="2229" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match " style="background: #fafafa; color: rgba(0,0,0,0.3); padding-left: 0.5em; padding-right: 0.5em" bgcolor="#fafafa">@@ -2228,6 +2229,7 @@ peer_xmit(</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2228" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2228

</td>

<td class="diff-line-num new_line" data-linenumber="2229" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2229

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2229" class="line">        <span class="n" style="color: #333">sendpkt</span><span class="p">(</span><span class="o" style="font-weight: bold">&</span><span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">srcadr</span><span class="p">,</span> <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">dstadr</span><span class="p">,</span> <span class="n" style="color: #333">sys_ttl</span><span class="p">[</span><span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">ttl</span><span class="p">],</span> <span class="o" style="font-weight: bold">&</span><span class="n" style="color: #333">xpkt</span><span class="p">,</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2229" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2229

</td>

<td class="diff-line-num new_line" data-linenumber="2230" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2230

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2230" class="line">            <span class="n" style="color: #333">sendlen</span><span class="p">);</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2230" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2230

</td>

<td class="diff-line-num new_line" data-linenumber="2231" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2231

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2231" class="line">        <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">sent</span><span class="o" style="font-weight: bold">++</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder new" style="line-height: 1.5">

<td class="diff-line-num new old_line" data-linenumber="2231" style="background: #ddfbe6; border-right-color: #c7f0d2; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="2232" style="background: #ddfbe6; border-right-color: #c7f0d2; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#ddfbe6">

2232

</td>

<td class="line_content new noteable_line" style="background: #ecfdf0; padding-left: 0.5em; padding-right: 0.5em" bgcolor="#ecfdf0">

<pre style="margin: 0"><span id="LC2232" class="line">        <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">outcount</span><span class="o" style="font-weight: bold">++</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2231" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2231

</td>

<td class="diff-line-num new_line" data-linenumber="2233" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2233

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2233" class="line">        <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">throttle</span> <span class="o" style="font-weight: bold">+=</span> <span class="p">(</span><span class="mi" style="color: #099">1</span> <span class="o" style="font-weight: bold"><<</span> <span class="n" style="color: #333">peer</span><span class="o" style="font-weight: bold">-></span><span class="n" style="color: #333">minpoll</span><span class="p">)</span> <span class="o" style="font-weight: bold">-</span> <span class="mi" style="color: #099">2</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2232" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2232

</td>

<td class="diff-line-num new_line" data-linenumber="2234" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2234

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2234" class="line"><span class="cp" style="color: #999; font-weight: bold">#ifdef DEBUG</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" style="line-height: 1.5">

<td class="diff-line-num old_line" data-linenumber="2233" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2233

</td>

<td class="diff-line-num new_line" data-linenumber="2235" style="background: #fafafa; border-right-color: #f0f0f0; border-right-style: solid; border-right-width: 1px; color: rgba(0,0,0,0.3); padding: 0 5px; text-align: right; width: 35px" align="right" bgcolor="#fafafa">

2235

</td>

<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em">

<pre style="margin: 0"><span id="LC2235" class="line">        <span class="k" style="font-weight: bold">if</span> <span class="p">(</span><span class="n" style="color: #333">debug</span><span class="p">)</span></span>

</pre>

</td>

</tr>

</table>

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px">

<p style="color: #777; font-size: small">

—

<br>

<a href="https://gitlab.com/NTPsec/ntpsec/commit/4911e2df0c54414a539685545780168757879434">View it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://gitlab.com/NTPsec/ntpsec/commit/4911e2df0c54414a539685545780168757879434"}}</script>

</p>

</div>

</body>

</html>