From 59d1b417165c225e29748964a3b1d57c18e55eb6 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 21 Jun 2018 17:29:43 +0200
Subject: [PATCH] ntp: restrict use of sub-second polling intervals

When the local polling interval is adjusted between minpoll and maxpoll
to a sub-second value, check if the source is reachable and the minimum
measured delay is 10 milliseconds or less. If it's not, ignore the
maxpoll value and set the interval to 1 second.

This should prevent clients (mis)configured with an extremely short
minpoll/maxpoll from flooding servers on the Internet.
---
 ntp_core.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ntp_core.c b/ntp_core.c
index 1c449f6..fa2f762 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -268,6 +268,11 @@ static ARR_Instance broadcasts;
 #define MIN_MAXPOLL 0
 #define MAX_POLL 24
 
+/* Enable sub-second polling intervals only when the peer delay is not
+   longer than 10 milliseconds to restrict them to local networks */
+#define MIN_NONLAN_POLL 0
+#define MAX_LAN_PEER_DELAY 0.01
+
 /* Kiss-o'-Death codes */
 #define KOD_RATE 0x52415445UL /* RATE */
 
@@ -742,6 +747,13 @@ adjust_poll(NCR_Instance inst, double adj)
     inst->local_poll = inst->maxpoll;
     inst->poll_score = 1.0;
   }
+
+  /* Don't allow a sub-second polling interval if the source is not reachable
+     or it is not in a local network according to the measured delay */
+  if (inst->local_poll < MIN_NONLAN_POLL &&
+      (!SRC_IsReachable(inst->source) ||
+       SST_MinRoundTripDelay(SRC_GetSourcestats(inst->source)) > MAX_LAN_PEER_DELAY))
+    inst->local_poll = MIN_NONLAN_POLL;
 }
 
 /* ================================================== */