38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
busybox1.24.1: Fix CVE-2016-6301
|
|
|
|
[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
|
|
|
|
ntpd: NTP server denial of service flaw
|
|
|
|
The busybox NTP implementation doesn't check the NTP mode of packets
|
|
received on the server port and responds to any packet with the right
|
|
size. This includes responses from another NTP server. An attacker can
|
|
send a packet with a spoofed source address in order to create an
|
|
infinite loop of responses between two busybox NTP servers. Adding
|
|
more packets to the loop increases the traffic between the servers
|
|
until one of them has a fully loaded CPU and/or network.
|
|
|
|
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
|
|
CVE: CVE-2016-6301
|
|
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
|
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
|
|
|
diff --git a/networking/ntpd.c b/networking/ntpd.c
|
|
index 9732c9b..0f6a55f 100644
|
|
--- a/networking/ntpd.c
|
|
+++ b/networking/ntpd.c
|
|
@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/)
|
|
goto bail;
|
|
}
|
|
|
|
+ /* Respond only to client and symmetric active packets */
|
|
+ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
|
|
+ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
|
|
+ ) {
|
|
+ goto bail;
|
|
+ }
|
|
+
|
|
query_status = msg.m_status;
|
|
query_xmttime = msg.m_xmttime;
|
|
|