[Git][NTPsec/ntpsec][master] Address incomplete fix for CVE-2015-7973
Daniel Fox Franke
gitlab at mg.gitlab.com
Thu May 5 02:08:22 UTC 2016
Daniel Fox Franke pushed to branch master at NTPsec / ntpsec
Commits:
737e1b94 by Matthew Van Gundy at 2016-05-04T22:07:17-04:00
Address incomplete fix for CVE-2015-7973
- - - - -
2 changed files:
- include/ntp_fp.h
- ntpd/ntp_proto.c
Changes:
=====================================
include/ntp_fp.h
=====================================
--- a/include/ntp_fp.h
+++ b/include/ntp_fp.h
@@ -242,6 +242,7 @@ typedef uint32_t u_fp;
#define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
#define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
#define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
+#define L_ISGEQU(a, b) L_ISHIS(a, b)
#define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)
/*
=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -875,6 +875,7 @@ receive(
} else {
peer->delay = sys_bdelay;
+ peer->xmt = p_xmt; /* for replay prevention */
}
break;
}
@@ -895,6 +896,7 @@ receive(
sys_restricted++;
return; /* ignore duplicate */
}
+ peer->xmt = p_xmt; /* for reply prevention */
return; /* hooray */
@@ -1025,6 +1027,11 @@ receive(
} else if (L_ISEQU(&peer->xmt, &p_xmt)) {
peer->flash |= BOGON1; /* duplicate */
peer->oldpkt++;
+ msyslog(LOG_NOTICE, "Dropping duplicate packet: associd"
+ "%d peer->xmt %#010x.%08x xmt %#010x.%08x",
+ peer->associd, peer->xmt.l_ui, peer->xmt.l_uf,
+ p_xmt.l_ui, p_xmt.l_uf);
+
return;
/*
@@ -1055,13 +1062,18 @@ receive(
* it results in an easy DoS by sending a spoofed packet
* with the transmit timestamp far in the future.
*/
-
- if((restrict_mask & RES_DONTTRUST) &&
- L_ISGEQ(&peer->xmt, &p_xmt)) {
- peer->flash |= BOGON1;
- peer->oldpkt++;
- return;
- }
+
+ if((peer->keyid || (restrict_mask & RES_DONTTRUST)) &&
+ L_ISGEQU(&peer->xmt, &p_xmt)) {
+ peer->flash |= BOGON1;
+ peer->oldpkt++;
+ msyslog(LOG_NOTICE, "Dropping replay attempt: associd %d "
+ "peer->xmt %#010x.%08x xmt %#010x.%08x",
+ peer->associd, peer->xmt.l_ui,
+ peer->xmt.l_uf, p_xmt.l_ui, p_xmt.l_uf);
+ return;
+ }
+
/*
* Check for bogus packet in basic mode. If found, switch to
* interleaved mode and resynchronize, but only after confirming
@@ -1798,6 +1810,7 @@ peer_clear(
)
{
uint8_t u;
+ l_fp xmt = peer->xmt;
/*
* Clear all values, including the optional crypto values above.
@@ -1809,6 +1822,11 @@ peer_clear(
peer->flash = peer_unfit(peer);
peer->jitter = LOGTOD(sys_precision);
+ /* Don't throw away our broadcast replay protection */
+ if (peer->hmode == MODE_BCLIENT) {
+ peer->xmt = xmt;
+ }
+
/*
* If interleave mode, initialize the alternate origin switch.
*/
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/737e1b94e7c67d296b62c8a5070cd820bf2e75cd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160505/cfdf5769/attachment.html>
More information about the vc
mailing list