Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame^] | 1 | busybox1.24.1: Fix CVE-2016-6301 |
| 2 | |
| 3 | [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710 |
| 4 | |
| 5 | ntpd: NTP server denial of service flaw |
| 6 | |
| 7 | The busybox NTP implementation doesn't check the NTP mode of packets |
| 8 | received on the server port and responds to any packet with the right |
| 9 | size. This includes responses from another NTP server. An attacker can |
| 10 | send a packet with a spoofed source address in order to create an |
| 11 | infinite loop of responses between two busybox NTP servers. Adding |
| 12 | more packets to the loop increases the traffic between the servers |
| 13 | until one of them has a fully loaded CPU and/or network. |
| 14 | |
| 15 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71] |
| 16 | CVE: CVE-2016-6301 |
| 17 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 18 | Signed-off-by: Pascal Bach <pascal.bach@siemens.com> |
| 19 | |
| 20 | diff --git a/networking/ntpd.c b/networking/ntpd.c |
| 21 | index 9732c9b..0f6a55f 100644 |
| 22 | --- a/networking/ntpd.c |
| 23 | +++ b/networking/ntpd.c |
| 24 | @@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/) |
| 25 | goto bail; |
| 26 | } |
| 27 | |
| 28 | + /* Respond only to client and symmetric active packets */ |
| 29 | + if ((msg.m_status & MODE_MASK) != MODE_CLIENT |
| 30 | + && (msg.m_status & MODE_MASK) != MODE_SYM_ACT |
| 31 | + ) { |
| 32 | + goto bail; |
| 33 | + } |
| 34 | + |
| 35 | query_status = msg.m_status; |
| 36 | query_xmttime = msg.m_xmttime; |
| 37 | |