[Git][NTPsec/ntpsec][master] 3 commits: CVE-2016-1548: check FLAG_XLEAVE before pivoting into interleaved mode
Daniel Fox Franke
gitlab at mg.gitlab.com
Thu May 5 00:45:18 UTC 2016
Daniel Fox Franke pushed to branch master at NTPsec / ntpsec
Commits:
c656103d by Daniel Fox Franke at 2016-05-04T16:58:40-04:00
CVE-2016-1548: check FLAG_XLEAVE before pivoting into interleaved mode
- - - - -
39035971 by Daniel Fox Franke at 2016-05-04T19:25:30-04:00
CVE-2016-1551: harden against spoofing of refclock addresses
- - - - -
3d6de636 by Daniel Fox Franke at 2016-05-04T20:40:48-04:00
CVE-2016-2519: avoid assertion crash on ctl_getitem() error
- - - - -
3 changed files:
- ntpd/ntp_control.c
- ntpd/ntp_io.c
- ntpd/ntp_proto.c
Changes:
=====================================
ntpd/ntp_control.c
=====================================
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -2875,7 +2875,12 @@ read_sysvars(void)
gotvar = 1;
} else {
v = ctl_getitem(ext_sys_var, &valuep);
- NTP_INSIST(v != NULL);
+ if (NULL == v) {
+ ctl_error(CERR_BADVALUE);
+ free(wants);
+ return;
+ }
+
if (EOV & v->flags) {
ctl_error(CERR_UNKNOWNVAR);
free(wants);
@@ -4126,7 +4131,13 @@ read_clockstatus(
gotvar = true;
} else {
v = ctl_getitem(kv, &valuep);
- NTP_INSIST(NULL != v);
+ if (NULL == v) {
+ ctl_error(CERR_BADVALUE);
+ free(wants);
+ free_varlist(cs.kv_list);
+ return;
+ }
+
if (EOV & v->flags) {
ctl_error(CERR_UNKNOWNVAR);
free(wants);
=====================================
ntpd/ntp_io.c
=====================================
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3517,6 +3517,17 @@ read_network_packet(
DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
fd, buflen, stoa(&rb->recv_srcadr)));
+ if (ISREFCLOCKADR(&rb->recv_srcadr)) {
+ msyslog(LOG_ERR, "recvfrom(%s) fd=%d: refclock srcadr on a network interface!",
+ stoa(&rb->recv_srcadr), fd);
+ DPRINTF(1, ("read_network_packet: fd=%d dropped (refclock srcadr))\n",
+ fd));
+ packets_dropped++;
+ freerecvbuf(rb);
+ return (buflen);
+ }
+
+
/*
** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
*/
=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1071,8 +1071,9 @@ receive(
if (!L_ISEQU(&p_org, &peer->aorg) || L_ISZERO(&p_org)) {
peer->bogusorg++;
peer->flash |= BOGON2; /* bogus */
- if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
- &peer->dst)) {
+ if (peer->flags & FLAG_XLEAVE &&
+ !L_ISZERO(&peer->dst) &&
+ L_ISEQU(&p_org, &peer->dst)) {
peer->flip = 1;
report_event(PEVNT_XLEAVE, peer, NULL);
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/ba2004b2ce4cdb2e0b1c0be5b7d58dbf4a1c9e10...3d6de636a32300f0fa35b6b4b5468550cdae0fac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160505/585f8aa5/attachment.html>
More information about the vc
mailing list