[Git][NTPsec/ntpsec][master] Fixes for parsing NTP extension fields.

Mon Feb 16 06:59:48 UTC 2026


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
09b2e035 by David Venhoek at 2026-02-15T22:55:06-08:00
Fixes for parsing NTP extension fields.

There is no such thing as critical NTP extension fields, so the type
shouldn't be masked during parsing. Furthermore, RFC 5905 does not
explicitly state messages with unknown extension fields should be
rejected, and doing so could cause issues for the adoption of new
extensions.

- - - - -


1 changed file:

- ntpd/nts_extens.c


Changes:

=====================================
ntpd/nts_extens.c
=====================================
@@ -136,7 +136,6 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
 
 	while (buf.left >= NTS_KE_HDR_LNG) {
 		uint16_t type;
-		bool critical = false;
 		int length, adlength;
 		size_t outlen;
 		uint8_t *nonce, *cmac;
@@ -146,10 +145,6 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
 		if (length&3 || length > buf.left || length < 0) {
 			return false;
 		}
-		if (NTS_CRITICAL & type) {
-			critical = true;
-			type &= ~NTS_CRITICAL;
-		}
 		switch (type) {
 		    case Unique_Identifier:
 			if (length > NTS_UID_MAX_LENGTH) {
@@ -238,13 +233,10 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
 		    default:
 			/* Non NTS extensions on requests at server.
 			 * Call out when we get some that we want.
-			 * Until then, it's probably a bug. */
-			if (critical) {
-				return false;
-			}
+			 * Until then, just ignore it */
 			buf.next += length;
 			buf.left -= length;
-			return false;
+			break;
 		}
 	}
 
@@ -358,7 +350,6 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
 
 	while (buf.left >= NTS_KE_HDR_LNG) {
 		uint16_t type;
-		bool critical = false;
 		int length, adlength, noncelen;
 		uint8_t *nonce, *ciphertext, *plaintext;
 		size_t outlen;
@@ -367,10 +358,6 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
 		type = ex_next_record(&buf, &length); /* length excludes header */
 		if (length&3 || length > buf.left || length < 0)
 			return false;
-		if (NTS_CRITICAL & type) {
-			critical = true;
-			type &= ~NTS_CRITICAL;
-		}
 		//     printf("ECR: %d, %d, %d\n", type, length, buf.left);
 		switch (type) {
 		    case Unique_Identifier:
@@ -427,12 +414,10 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
 		    default:
 			/* Non NTS extensions on reply from server.
 			 * Call out when we get some that we want.
-			 * For now, it's probably a bug. */
-			if (critical)
-				return false;
+			 * For now, just ignore it */
 			buf.next += length;
 			buf.left -= length;
-			return false;
+			break;
 		}
 	}
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/09b2e035cc87473a3103d0526a92e366bd75d91c

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/09b2e035cc87473a3103d0526a92e366bd75d91c
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20260216/99104a6a/attachment-0001.htm>
