Merge branch '1.31-security'

Conflicts:
	NEWS
	ntp_core.c

NEWS

@@ -29,6 +29,16 @@ Bug fixes
   is equal to server port
 * Fix allocation of slots saving replies to authenticated commands
 
+New in version 1.31.1
+=====================
+
+Security fixes
+--------------
+* Protect authenticated symmetric NTP associations against DoS attacks
+  (CVE-2015-1799)
+* Fix access configuration with subnet size indivisible by 4 (CVE-2015-1821)
+* Fix initialization of reply slots for authenticated commands (CVE-2015-1822)
+
 New in version 1.31
 ===================
 

addrfilt.c

@@ -199,7 +199,10 @@ set_subnet(TableNode *start_node,
 
       /* How many subnet entries to set : 1->8, 2->4, 3->2 */
       N = 1 << (NBITS-bits_to_go);
-      subnet = get_subnet(ip, bits_consumed);
+
+      subnet = get_subnet(ip, bits_consumed) & ~(N - 1);
+      assert(subnet + N <= TABLE_SIZE);
+
       if (!(node->extended)) {
         open_node(node);
       }

ntp_core.c

@@ -1217,11 +1217,13 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
       kod_rate = 1;
   }
 
-  /* Regardless of any validity checks we apply, we are required to
-     save these fields from the packet into the ntp source instance record.
-     Note we can't do this assignment before test 1 has been carried out. */
-  inst->remote_orig = message->transmit_ts;
-  inst->local_rx = *now;
+  /* The transmit timestamp and local receive timestamp must not be saved when
+     the authentication test failed to prevent denial-of-service attacks on
+     symmetric associations using authentication */
+  if (test5) {
+    inst->remote_orig = message->transmit_ts;
+    inst->local_rx = *now;
+  }
 
   /* This protects against replay of the last packet we sent */
   if (test2)