Commit 973bc3eb authored by Kurt Roeckx's avatar Kurt Roeckx

Properly fix CVE-2015-7704

parent dde9f2be
......@@ -2,8 +2,10 @@ ntp (1:4.2.8p4+dfsg-3) unstable; urgency=medium
* Remove rlimit memlock from default config file, the default is now
to no longer lock. (Closes: #793745)
* Really properly fix CVE-2015-7704, thanks to Miroslav Lichvar
<mlichvar@redhat.com>
-- Kurt Roeckx <kurt@roeckx.be> Thu, 22 Oct 2015 20:39:36 +0200
-- Kurt Roeckx <kurt@roeckx.be> Thu, 22 Oct 2015 20:44:44 +0200
ntp (1:4.2.8p4+dfsg-2) unstable; urgency=medium
......
......@@ -2,12 +2,140 @@ Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c
===================================================================
--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c
+++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c
@@ -1441,7 +1441,7 @@ receive(
* rate that the server sends
@@ -37,19 +37,6 @@
#define AUTH_CRYPTO 3 /* crypto_NAK */
/*
- * Set up Kiss Code values
- */
-
-enum kiss_codes {
- NOKISS, /* No Kiss Code */
- RATEKISS, /* Rate limit Kiss Code */
- DENYKISS, /* Deny Kiss */
- RSTRKISS, /* Restricted Kiss */
- XKISS, /* Experimental Kiss */
- UNKNOWNKISS /* Unknown Kiss Code */
-};
-
-/*
* traffic shaping parameters
*/
#define NTP_IBURST 6 /* packets in iburst */
@@ -152,7 +139,6 @@ u_long sys_declined; /* declined */
u_long sys_limitrejected; /* rate exceeded */
u_long sys_kodsent; /* KoD sent */
-static int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
static double root_distance (struct peer *);
static void clock_combine (peer_select *, int, int);
static void peer_xmit (struct peer *);
@@ -200,34 +186,6 @@ set_sys_leap(u_char new_sys_leap) {
}
/*
- * Kiss Code check
- */
-int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid) {
-
- if ( hismode == MODE_SERVER
- && hisleap == LEAP_NOTINSYNC
- && hisstratum == STRATUM_UNSPEC) {
- if(memcmp(&refid,"RATE", 4) == 0) {
- return (RATEKISS);
- }
- else if(memcmp(&refid,"DENY", 4) == 0) {
- return (DENYKISS);
- }
- else if(memcmp(&refid,"RSTR", 4) == 0) {
- return (RSTRKISS);
- }
- else if(memcmp(&refid,"X", 1) == 0) {
- return (XKISS);
- }
- else {
- return (UNKNOWNKISS);
- }
- }
- else {
- return (NOKISS);
- }
-}
-/*
* transmit - transmit procedure called by poll timeout
*/
void
@@ -434,7 +392,6 @@ receive(
u_char hismode; /* packet mode */
u_char hisstratum; /* packet stratum */
u_short restrict_mask; /* restrict bits */
- int kissCode = NOKISS; /* Kiss Code */
int has_mac; /* length of MAC field */
int authlen; /* offset of MAC field */
int is_authentic = 0; /* cryptosum ok */
@@ -1340,7 +1297,6 @@ receive(
peer->flip = 1;
report_event(PEVNT_XLEAVE, peer, NULL);
}
- return; /* Bogus packet, we are done */
} else {
L_CLR(&peer->aorg);
}
@@ -1362,7 +1318,6 @@ receive(
peer->bogusorg++;
peer->flags |= FLAG_XBOGUS;
peer->flash |= TEST2; /* bogus */
- return; /* Bogus packet, we are done */
}
/*
@@ -1427,22 +1382,11 @@ receive(
* this maximum and advance the headway to give the sender some
* headroom. Very intricate.
*/
-
- /*
- * Check for any kiss codes. Note this is only used when a server
- * responds to a packet request
- */
-
- kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
-
- /*
- * Check to see if this is a RATE Kiss Code
- * Currently this kiss code will accept whatever poll
- * rate that the server sends
- */
peer->ppoll = max(peer->minpoll, pkt->ppoll);
- if (kissCode == RATEKISS) {
+ if (kissCode == RATEKISS && !(peer->flash & PKT_TEST_MASK)) {
peer->selbroken++; /* Increment the KoD count */
- peer->selbroken++; /* Increment the KoD count */
+ if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
+ hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
+ "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
+ peer->selbroken++;
report_event(PEVNT_RATE, peer, NULL);
if (pkt->ppoll > peer->minpoll)
peer->minpoll = peer->ppoll;
@@ -1451,11 +1395,6 @@ receive(
poll_update(peer, pkt->ppoll);
return; /* kiss-o'-death */
}
- if (kissCode != NOKISS) {
- peer->selbroken++; /* Increment the KoD count */
- return; /* Drop any other kiss code packets */
- }
-
/*
* That was hard and I am sweaty, but the packet is squeaky
@@ -1632,7 +1571,9 @@ process_packet(
sys_processed++;
peer->processed++;
p_del = FPTOD(NTOHS_FP(pkt->rootdelay));
- p_offset = 0;
+#ifdef __GNUC__
+ p_offset = 0; /* quiet bogus uninitialized value warning */
+#endif
p_disp = FPTOD(NTOHS_FP(pkt->rootdisp));
NTOHL_FP(&pkt->reftime, &p_reftime);
NTOHL_FP(&pkt->org, &p_org);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment