ntp: fix CVE-2013-5211

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-06-04 02:31:27 +00:00 · 2014-08-14 11:14:46 +08:00
parent 55ebea4bb0
commit 622ad1538b
2 changed files with 113 additions and 0 deletions
@@ -0,0 +1,112 @@
 ntp: fix CVE-2013-5211
 Upstream-status: Backport
 The monlist feature in ntp_request.c in ntpd in NTP before
 4.2.7p26 allows remote attackers to cause a denial of service
 (traffic amplification) via forged (1) REQ_MON_GETLIST or
 (2) REQ_MON_GETLIST_1 requests, as exploited in the wild
 in December 2013.
 Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
 --- a/ntpd/ntp_request.c
 +++ b/ntpd/ntp_request.c
@@ -1912,44 +1912,11 @@ mon_getlist_0(
 	struct req_pkt *inpkt
 	)
 {
 -	register struct info_monitor *im;
 -	register struct mon_data *md;
 -	extern struct mon_data mon_mru_list;
 -	extern int mon_enabled;
 -
 #ifdef DEBUG
 	if (debug > 2)
 	    printf("wants monitor 0 list\n");
 #endif
 -	if (!mon_enabled) {
 -		req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
 -		return;
 -	}
 -	im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt,
 -	    v6sizeof(struct info_monitor));
 -	for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
 -	     md = md->mru_next) {
 -		im->lasttime = htonl((u_int32)((current_time -
 -		    md->firsttime) / md->count));
 -		im->firsttime = htonl((u_int32)(current_time - md->lasttime));
 -		im->restr = htonl((u_int32)md->flags);
 -		im->count = htonl((u_int32)(md->count));
 -		if (IS_IPV6(&md->rmtadr)) {
 -			if (!client_v6_capable)
 -				continue;
 -			im->addr6 = SOCK_ADDR6(&md->rmtadr);
 -			im->v6_flag = 1;
 -		} else {
 -			im->addr = NSRCADR(&md->rmtadr);
 -			if (client_v6_capable)
 -				im->v6_flag = 0;
 -		}
 -		im->port = md->rmtport;
 -		im->mode = md->mode;
 -		im->version = md->version;
 -		im = (struct info_monitor *)more_pkt();
 -	}
 -	flush_pkt();
 +	req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
 }
 /*
@@ -1962,50 +1929,7 @@ mon_getlist_1(
 	struct req_pkt *inpkt
 	)
 {
 -	register struct info_monitor_1 *im;
 -	register struct mon_data *md;
 -	extern struct mon_data mon_mru_list;
 -	extern int mon_enabled;
 -
 -	if (!mon_enabled) {
 -		req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
 -		return;
 -	}
 -	im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt,
 -	    v6sizeof(struct info_monitor_1));
 -	for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
 -	     md = md->mru_next) {
 -		im->lasttime = htonl((u_int32)((current_time -
 -		    md->firsttime) / md->count));
 -		im->firsttime = htonl((u_int32)(current_time - md->lasttime));
 -		im->restr = htonl((u_int32)md->flags);
 -		im->count = htonl((u_int32)md->count);
 -		if (IS_IPV6(&md->rmtadr)) {
 -			if (!client_v6_capable)
 -				continue;
 -			im->addr6 = SOCK_ADDR6(&md->rmtadr);
 -			im->v6_flag = 1;
 -			im->daddr6 = SOCK_ADDR6(&md->interface->sin);
 -		} else {
 -			im->addr = NSRCADR(&md->rmtadr);
 -			if (client_v6_capable)
 -				im->v6_flag = 0;
 -			if (MDF_BCAST == md->cast_flags)
 -				im->daddr = NSRCADR(&md->interface->bcast);
 -			else if (md->cast_flags) {
 -				im->daddr = NSRCADR(&md->interface->sin);
 -				if (!im->daddr)
 -					im->daddr = NSRCADR(&md->interface->bcast);
 -			} else
 -				im->daddr = 4;
 -		}
 -		im->flags = htonl(md->cast_flags);
 -		im->port = md->rmtport;
 -		im->mode = md->mode;
 -		im->version = md->version;
 -		im = (struct info_monitor_1 *)more_pkt();
 -	}
 -	flush_pkt();
 +	req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
 }
 /*
@@ -24,6 +24,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
           file://sntp \
           file://ntpd.list \
           file://ntp-disable-debugging.patch \
           file://CVE-2013-5211.patch \
 "
 inherit autotools update-rc.d useradd systemd