Limit rate of syslog messages

Error messages caused by incoming packets need to be rate limited
to avoid filling up disk space.

cmdmon.c

@@ -746,7 +746,7 @@ transmit_reply(CMD_Reply *msg, union sockaddr_in46 *where_to)
   status = sendto(sock_fd, (void *) msg, tx_message_length, 0,
                   &where_to->u, addrlen);
 
-  if (status < 0) {
+  if (status < 0 && !LOG_RateLimited()) {
     unsigned short port;
     IPAddr ip;
 
@@ -1821,7 +1821,9 @@ read_from_cmd_socket(void *anything)
 
   if (rx_message.version != PROTO_VERSION_NUMBER) {
     tx_message.status = htons(STT_NOHOSTACCESS);
-    LOG(LOGS_WARN, LOGF_CmdMon, "Read packet with protocol version %d (expected %d) from %s:%hu", rx_message.version, PROTO_VERSION_NUMBER, UTI_IPToString(&remote_ip), remote_port);
+    if (!LOG_RateLimited()) {
+      LOG(LOGS_WARN, LOGF_CmdMon, "Read packet with protocol version %d (expected %d) from %s:%hu", rx_message.version, PROTO_VERSION_NUMBER, UTI_IPToString(&remote_ip), remote_port);
+    }
     if (allowed)
       CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
 
@@ -1833,7 +1835,9 @@ read_from_cmd_socket(void *anything)
   }
 
   if (read_length != expected_length) {
-    LOG(LOGS_WARN, LOGF_CmdMon, "Read incorrectly sized packet from %s:%hu", UTI_IPToString(&remote_ip), remote_port);
+    if (!LOG_RateLimited()) {
+      LOG(LOGS_WARN, LOGF_CmdMon, "Read incorrectly sized packet from %s:%hu", UTI_IPToString(&remote_ip), remote_port);
+    }
     if (allowed)
       CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);
 
@@ -1848,13 +1852,11 @@ read_from_cmd_socket(void *anything)
        regardless of the defined access rules - otherwise, we could
        shut ourselves out completely! */
 
-    /* We ought to find another way to log this, there is an attack
+    if (!LOG_RateLimited()) {
-       here against the host because an adversary can just keep
+      LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d",
-       hitting us with bad packets until our log file(s) fill up. */
+          UTI_IPToString(&remote_ip),
-
+          remote_port);
-    LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d",
+    }
-        UTI_IPToString(&remote_ip),
-        remote_port);
 
     tx_message.status = htons(STT_NOHOSTACCESS);
     transmit_reply(&tx_message, &where_from);
@@ -1938,7 +1940,7 @@ read_from_cmd_socket(void *anything)
       tx_message_length = PKL_ReplyLength(prev_tx_message);
       status = sendto(sock_fd, (void *) prev_tx_message, tx_message_length, 0,
                       &where_from.u, from_length);
-      if (status < 0) {
+      if (status < 0 && !LOG_RateLimited()) {
         LOG(LOGS_WARN, LOGF_CmdMon, "Could not send response to %s:%hu", UTI_IPToString(&remote_ip), remote_port);
       }
       return;
@@ -2064,7 +2066,7 @@ read_from_cmd_socket(void *anything)
 
         case REQ_LOGON:
           /* If the log-on fails, record the reason why */
-          if (!issue_token) {
+          if (!issue_token && !LOG_RateLimited()) {
             LOG(LOGS_WARN, LOGF_CmdMon,
                 "Bad command logon from %s port %d (md5_ok=%d valid_ts=%d)\n",
                 UTI_IPToString(&remote_ip),

logging.c

@@ -40,6 +40,8 @@ static int initialised = 0;
 
 static int is_detached = 0;
 
+static time_t last_limited = 0;
+
 #ifdef WINNT
 static FILE *logfile;
 #endif
@@ -213,6 +215,22 @@ LOG_GoDaemon(void)
 #endif
 }
 
+/* ================================================== */
+
+int
+LOG_RateLimited(void)
+{
+  time_t now;
+
+  now = time(NULL);
+
+  if (last_limited + 10 > now && last_limited <= now)
+    return 1;
+
+  last_limited = now;
+  return 0;
+}
+
 /* ================================================== */
 /* Force a core dump and exit without doing abort() or assert(0).
    These do funny things with the call stack in the core file that is

logging.h

@@ -87,6 +87,9 @@ extern void LOG_Position(const char *filename, int line_number, const char *func
 
 extern void LOG_GoDaemon(void);
 
+/* Return zero once per 10 seconds */
+extern int LOG_RateLimited(void);
+
 /* Line logging macro.  If the compiler is GNU C, we take advantage of
    being able to get the function name also. */
 #if defined(__GNUC__)

ntp_core.c

@@ -1393,7 +1393,7 @@ process_known
                         &inst->local_ntp_tx,
                         &inst->remote_addr);
 
-      } else {
+      } else if (!LOG_RateLimited()) {
         LOG(LOGS_WARN, LOGF_NtpCore, "NTP packet received from unauthorised host %s port %d",
             UTI_IPToString(&inst->remote_addr.ip_addr),
             inst->remote_addr.port);
@@ -1561,7 +1561,7 @@ NCR_ProcessNoauthUnknown(NTP_Packet *message, struct timeval *now, NTP_Remote_Ad
                       remote_addr);
       
     }
-  } else {
+  } else if (!LOG_RateLimited()) {
     LOG(LOGS_WARN, LOGF_NtpCore, "NTP packet received from unauthorised host %s port %d",
         UTI_IPToString(&remote_addr->ip_addr),
         remote_addr->port);

ntp_io.c

@@ -460,7 +460,7 @@ send_packet(void *packet, int packetlen, NTP_Remote_Address *remote_addr)
   if (!cmsglen)
     msg.msg_control = NULL;
 
-  if (sendmsg(sock_fd, &msg, 0) < 0) {
+  if (sendmsg(sock_fd, &msg, 0) < 0 && !LOG_RateLimited()) {
     LOG(LOGS_WARN, LOGF_NtpIO, "Could not send to %s:%d : %s",
         UTI_IPToString(&remote_addr->ip_addr), remote_addr->port, strerror(errno));
   }