[Git][NTPsec/ntpsec][master] Address incomplete fix for CVE-2015-7973

Daniel Fox Franke gitlab at mg.gitlab.com
Thu May 5 02:08:22 UTC 2016


Daniel Fox Franke pushed to branch master at NTPsec / ntpsec


Commits:
737e1b94 by Matthew Van Gundy at 2016-05-04T22:07:17-04:00
Address incomplete fix for CVE-2015-7973

- - - - -


2 changed files:

- include/ntp_fp.h
- ntpd/ntp_proto.c


Changes:

=====================================
include/ntp_fp.h
=====================================
--- a/include/ntp_fp.h
+++ b/include/ntp_fp.h
@@ -242,6 +242,7 @@ typedef uint32_t u_fp;
 #define	L_ISGTU(a, b)	M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
 #define	L_ISHIS(a, b)	M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
 #define	L_ISGEQ(a, b)	M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
+#define L_ISGEQU(a, b)  L_ISHIS(a, b)
 #define	L_ISEQU(a, b)	M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
 
 /*


=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -875,6 +875,7 @@ receive(
 
 			} else {
 				peer->delay = sys_bdelay;
+                                peer->xmt = p_xmt; /* for replay prevention */
 			}
 			break;
 		}
@@ -895,6 +896,7 @@ receive(
 			sys_restricted++;
 			return;			/* ignore duplicate */
 		}
+                peer->xmt = p_xmt; /* for reply prevention */
 
 		return;				/* hooray */
 
@@ -1025,6 +1027,11 @@ receive(
 	} else if (L_ISEQU(&peer->xmt, &p_xmt)) {
 		peer->flash |= BOGON1;			/* duplicate */
 		peer->oldpkt++;
+		msyslog(LOG_NOTICE, "Dropping duplicate packet: associd"
+                        "%d peer->xmt %#010x.%08x xmt %#010x.%08x",
+			peer->associd, peer->xmt.l_ui, peer->xmt.l_uf,
+                        p_xmt.l_ui, p_xmt.l_uf);
+
 		return;
 
 	/*
@@ -1055,13 +1062,18 @@ receive(
 		 * it results in an easy DoS by sending a spoofed packet
 		 * with the transmit timestamp far in the future.
 		 */
-		
-		if((restrict_mask & RES_DONTTRUST) &&
-		   L_ISGEQ(&peer->xmt, &p_xmt)) {
-			peer->flash |= BOGON1;
-			peer->oldpkt++;
-			return;
-		}
+
+               if((peer->keyid || (restrict_mask & RES_DONTTRUST)) &&
+                  L_ISGEQU(&peer->xmt, &p_xmt)) {
+                       peer->flash |= BOGON1;
+                       peer->oldpkt++;
+                       msyslog(LOG_NOTICE, "Dropping replay attempt: associd %d "
+                               "peer->xmt %#010x.%08x xmt %#010x.%08x",
+                               peer->associd, peer->xmt.l_ui,
+                               peer->xmt.l_uf, p_xmt.l_ui, p_xmt.l_uf);
+                       return;
+               }
+
 	/*
 	 * Check for bogus packet in basic mode. If found, switch to
 	 * interleaved mode and resynchronize, but only after confirming
@@ -1798,6 +1810,7 @@ peer_clear(
 	)
 {
 	uint8_t	u;
+        l_fp xmt = peer->xmt;
 
 	/*
 	 * Clear all values, including the optional crypto values above.
@@ -1809,6 +1822,11 @@ peer_clear(
 	peer->flash = peer_unfit(peer);
 	peer->jitter = LOGTOD(sys_precision);
 
+	/* Don't throw away our broadcast replay protection */
+	if (peer->hmode == MODE_BCLIENT) {
+		peer->xmt = xmt;
+	}
+
 	/*
 	 * If interleave mode, initialize the alternate origin switch.
 	 */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/737e1b94e7c67d296b62c8a5070cd820bf2e75cd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160505/cfdf5769/attachment.html>


More information about the vc mailing list