| busybox1.24.1: Fix CVE-2016-6301 |
| |
| [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710 |
| |
| ntpd: NTP server denial of service flaw |
| |
| The busybox NTP implementation doesn't check the NTP mode of packets |
| received on the server port and responds to any packet with the right |
| size. This includes responses from another NTP server. An attacker can |
| send a packet with a spoofed source address in order to create an |
| infinite loop of responses between two busybox NTP servers. Adding |
| more packets to the loop increases the traffic between the servers |
| until one of them has a fully loaded CPU and/or network. |
| |
| Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71] |
| CVE: CVE-2016-6301 |
| Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| Signed-off-by: Pascal Bach <pascal.bach@siemens.com> |
| |
| diff --git a/networking/ntpd.c b/networking/ntpd.c |
| index 9732c9b..0f6a55f 100644 |
| --- a/networking/ntpd.c |
| +++ b/networking/ntpd.c |
| @@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/) |
| goto bail; |
| } |
| |
| + /* Respond only to client and symmetric active packets */ |
| + if ((msg.m_status & MODE_MASK) != MODE_CLIENT |
| + && (msg.m_status & MODE_MASK) != MODE_SYM_ACT |
| + ) { |
| + goto bail; |
| + } |
| + |
| query_status = msg.m_status; |
| query_xmttime = msg.m_xmttime; |
| |