From 8220e51ae4421c0441507e6f6c71d607d3d062ab Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 20 Jul 2016 12:47:38 +0200
Subject: [PATCH] ntp: check for extension fields only in NTPv4 packets

---
 ntp_core.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ntp_core.c b/ntp_core.c
index fe894f9..2602e9e 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1104,12 +1104,13 @@ check_packet_format(NTP_Packet *message, int length)
 static int
 check_packet_auth(NTP_Packet *pkt, int length, int *has_auth, uint32_t *key_id)
 {
-  int i, remainder, ext_length;
+  int i, version, remainder, ext_length;
   unsigned char *data;
   uint32_t id;
 
   /* Go through extension fields and see if there is a valid MAC */
 
+  version = NTP_LVM_TO_VERSION(pkt->lvm);
   i = NTP_NORMAL_PACKET_LENGTH;
   data = (void *)pkt;
 
@@ -1131,9 +1132,9 @@ check_packet_auth(NTP_Packet *pkt, int length, int *has_auth, uint32_t *key_id)
       }
     }
 
-    /* Check if this is a valid field extension.  They consist of 16-bit type,
-       16-bit length of the whole field aligned to 32 bits and data. */
-    if (remainder >= NTP_MIN_EXTENSION_LENGTH) {
+    /* Check if this is a valid NTPv4 extension field and skip it.  It should
+       have a 16-bit type, 16-bit length, and data padded to 32 bits. */
+    if (version == 4 && remainder >= NTP_MIN_EXTENSION_LENGTH) {
       ext_length = ntohs(*(uint16_t *)(data + i + 2));
       if (ext_length >= NTP_MIN_EXTENSION_LENGTH &&
           ext_length <= remainder && ext_length % 4 == 0) {