faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Accept packets with compatible NTP versions

Browse source 
All incoming NTP packets are now required to have version 2, 3 or 4.
This commit is contained in:
Miroslav Lichvar 2011-05-25 16:59:40 +02:00
parent de4d14843f
commit 8cc7ebffa9
2 changed files with 28 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
acquire.c
View file

@ -63,6 +63,10 @@
#define RETRANSMISSION_TIMEOUT (1.0) #define RETRANSMISSION_TIMEOUT (1.0)
#define NTP_VERSION 3
#define NTP_MAX_COMPAT_VERSION 4
#define NTP_MIN_COMPAT_VERSION 2
typedef struct { typedef struct {
IPAddr ip_addr; /* Address of the server */ IPAddr ip_addr; /* Address of the server */
int sanity; /* Flag indicating whether source int sanity; /* Flag indicating whether source
@ -246,7 +250,7 @@ static void
probe_source(SourceRecord *src) probe_source(SourceRecord *src)
{ {
NTP_Packet pkt; NTP_Packet pkt;
int version = 3; int version = NTP_VERSION;
NTP_Mode my_mode = MODE_CLIENT; NTP_Mode my_mode = MODE_CLIENT;
struct timeval cooked; struct timeval cooked;
union sockaddr_in46 his_addr; union sockaddr_in46 his_addr;
@ -372,7 +376,7 @@ process_receive(NTP_Packet *msg, SourceRecord *src, struct timeval *now)
mode = lvm & 0x7; mode = lvm & 0x7;
if ((leap == LEAP_Unsynchronised) || if ((leap == LEAP_Unsynchronised) ||
(version != 3) || (version < NTP_MIN_COMPAT_VERSION || version > NTP_MAX_COMPAT_VERSION) ||
(mode != MODE_SERVER && mode != MODE_PASSIVE)) { (mode != MODE_SERVER && mode != MODE_PASSIVE)) {
return; return;
} }

26
ntp_core.c
View file

@ -192,6 +192,10 @@ struct NCR_Instance_Record {
/* The NTP protocol version that we support */ /* The NTP protocol version that we support */
#define NTP_VERSION 3 #define NTP_VERSION 3
/* Compatible NTP protocol versions */
#define NTP_MAX_COMPAT_VERSION 4
#define NTP_MIN_COMPAT_VERSION 2
/* Maximum allowed dispersion - as defined in RFC1305 (16 seconds) */ /* Maximum allowed dispersion - as defined in RFC1305 (16 seconds) */
#define NTP_MAX_DISPERSION 16.0 #define NTP_MAX_DISPERSION 16.0
@ -515,7 +519,7 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
struct timeval our_ref_time; struct timeval our_ref_time;
double our_root_delay, our_root_dispersion; double our_root_delay, our_root_dispersion;
version = 3; version = NTP_VERSION;
LCL_ReadCookedTime(&local_transmit, NULL); LCL_ReadCookedTime(&local_transmit, NULL);
REF_GetReferenceParams(&local_transmit, REF_GetReferenceParams(&local_transmit,
@ -1329,7 +1333,7 @@ process_known
/* Check version */ /* Check version */
version = (message->lvm >> 3) & 0x7; version = (message->lvm >> 3) & 0x7;
if (version != NTP_VERSION) { if (version < NTP_MIN_COMPAT_VERSION || version > NTP_MAX_COMPAT_VERSION) {
/* Ignore packet, but might want to log it */ /* Ignore packet, but might want to log it */
return; return;
} }
@ -1521,7 +1525,14 @@ NCR_ProcessNoauthUnknown(NTP_Packet *message, struct timeval *now, double now_er
NTP_Mode his_mode; NTP_Mode his_mode;
NTP_Mode my_mode; NTP_Mode my_mode;
int my_poll; int my_poll, version;
/* Check version */
version = (message->lvm >> 3) & 0x7;
if (version < NTP_MIN_COMPAT_VERSION || version > NTP_MAX_COMPAT_VERSION) {
/* Ignore packet, but might want to log it */
return;
}
if (ADF_IsAllowed(access_auth_table, &remote_addr->ip_addr)) { if (ADF_IsAllowed(access_auth_table, &remote_addr->ip_addr)) {
@ -1589,10 +1600,17 @@ NCR_ProcessAuthUnknown(NTP_Packet *message, struct timeval *now, double now_err,
NTP_Mode his_mode; NTP_Mode his_mode;
NTP_Mode my_mode; NTP_Mode my_mode;
int my_poll; int my_poll, version;
int valid_key, valid_auth; int valid_key, valid_auth;
unsigned long key_id; unsigned long key_id;
/* Check version */
version = (message->lvm >> 3) & 0x7;
if (version < NTP_MIN_COMPAT_VERSION || version > NTP_MAX_COMPAT_VERSION) {
/* Ignore packet, but might want to log it */
return;
}
if (ADF_IsAllowed(access_auth_table, &remote_addr->ip_addr)) { if (ADF_IsAllowed(access_auth_table, &remote_addr->ip_addr)) {
his_mode = message->lvm & 0x07; his_mode = message->lvm & 0x07;