SECURITY:

Fix a DoS attack from certain NTP mode 7 packets. If an attacker spoofed a source address, ntpd hosts could be made to endlessly send responses to each other or to themselves. CVE-2009-3563.
2010-01-20 20:43:59 +00:00 · 2010-01-20 20:43:59 +00:00 · f31431be18
commit f31431be18
parent 0cd0d135bf
2 changed files with 30 additions and 2 deletions
--- a/net/ntp/Makefile
+++ b/net/ntp/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.41 2009/05/23 16:32:29 naddy Exp $
+# $OpenBSD: Makefile,v 1.42 2010/01/20 20:43:59 naddy Exp $

 COMMENT=	Network Time Protocol reference implementation

@ -8,7 +8,7 @@ COMMENT=	Network Time Protocol reference implementation

 VERSION=	4.2.4p7
 DISTNAME=	ntp-${VERSION}
-PKGNAME=	ntp-${VERSION:S/p/pl/}
+PKGNAME=	ntp-${VERSION:S/p/pl/}p0
 CATEGORIES=	net
 MASTER_SITES=	ftp://archive.ntp.org/ntp4/ntp-4.2/ \
 		http://archive.ntp.org/ntp4/ntp-4.2/
--- a/net/ntp/patches/patch-ntpd_ntp_request_c
+++ b/net/ntp/patches/patch-ntpd_ntp_request_c
@ -0,0 +1,28 @@
+$OpenBSD: patch-ntpd_ntp_request_c,v 1.1 2010/01/20 20:43:59 naddy Exp $
+--- ntpd/ntp_request.c.orig	Tue May 12 07:59:01 2009
+++ ntpd/ntp_request.c	Wed Jan 20 21:24:13 2010
+@@ -409,6 +409,7 @@ process_private(
+ 	int mod_okay
+ 	)
+ {
+	static u_long quiet_until;
+ 	struct req_pkt *inpkt;
+ 	struct req_pkt_tail *tailinpkt;
+ 	struct sockaddr_storage *srcadr;
+@@ -444,8 +445,14 @@ process_private(
+ 	    || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
+ 	    || (++ec, rbufp->recv_length < REQ_LEN_HDR)
+ 		) {
+-		msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr));
+-		req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+		NLOG(NLOG_SYSEVENT)
+			if (current_time >= quiet_until) {
+				msyslog(LOG_ERR,
+					"process_private: drop test %d"
+					" failed, pkt from %s",
+					ec, stoa(srcadr));
+				quiet_until = current_time + 60;
+			}
+ 		return;
+ 	}
+