29 lines
1,019 B
Diff
29 lines
1,019 B
Diff
|
ntpd: respond only to client and symmetric active packets
|
||
|
The busybox NTP implementation doesn't check the NTP mode of packets
|
||
|
received on the server port and responds to any packet with the right
|
||
|
size. This includes responses from another NTP server. An attacker can
|
||
|
send a packet with a spoofed source address in order to create an
|
||
|
infinite loop of responses between two busybox NTP servers. Adding
|
||
|
more packets to the loop increases the traffic between the servers
|
||
|
until one of them has a fully loaded CPU and/or network.
|
||
|
|
||
|
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
|
||
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||
|
|
||
|
--- a/networking/ntpd.c
|
||
|
+++ b/networking/ntpd.c
|
||
|
@@ -2051,6 +2051,13 @@ recv_and_process_client_pkt(void /*int f
|
||
|
goto bail;
|
||
|
}
|
||
|
|
||
|
+ /* Respond only to client and symmetric active packets */
|
||
|
+ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
|
||
|
+ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
|
||
|
+ ) {
|
||
|
+ goto bail;
|
||
|
+ }
|
||
|
+
|
||
|
query_status = msg.m_status;
|
||
|
query_xmttime = msg.m_xmttime;
|
||
|
|