busybox: v1.25.0 upstream patches
[openwrt/openwrt.git] / package / utils / busybox / patches / 000-busybox-1.25.0-ntpd.patch
1 ntpd: respond only to client and symmetric active packets
2 The busybox NTP implementation doesn't check the NTP mode of packets
3 received on the server port and responds to any packet with the right
4 size. This includes responses from another NTP server. An attacker can
5 send a packet with a spoofed source address in order to create an
6 infinite loop of responses between two busybox NTP servers. Adding
7 more packets to the loop increases the traffic between the servers
8 until one of them has a fully loaded CPU and/or network.
9
10 Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
11 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
12
13 --- a/networking/ntpd.c
14 +++ b/networking/ntpd.c
15 @@ -2051,6 +2051,13 @@ recv_and_process_client_pkt(void /*int f
16 goto bail;
17 }
18
19 + /* Respond only to client and symmetric active packets */
20 + if ((msg.m_status & MODE_MASK) != MODE_CLIENT
21 + && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
22 + ) {
23 + goto bail;
24 + }
25 +
26 query_status = msg.m_status;
27 query_xmttime = msg.m_xmttime;
28