From cfb3c3ba449536599f422258c852e43128efa0dc Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 14 Nov 2016 09:27:07 +0100
Subject: [PATCH] ntp: improve replay protection in symmetric mode

Always allow update from the first valid response, even if its transmit
timestamp is not newer than the currently saved timestamp. This shoud
provide a temporary protection in the case where the attacker does have
an authenticated packet from future, but the peers are using the same
polling interval and the protocol is already synchronised. This could be
also useful in the case where the attacker cannot observe the traffic
and authentication is disabled.
---
 ntp_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ntp_core.c b/ntp_core.c
index b92e0e1..50a3aec 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1458,7 +1458,7 @@ receive_packet(NCR_Instance inst, NTP_Local_Address *local_addr,
   if ((inst->mode == MODE_CLIENT && valid_packet && !inst->valid_rx) ||
       (inst->mode == MODE_ACTIVE && (valid_packet || !inst->valid_rx) &&
        test5 && !UTI_IsZeroNtp64(&message->transmit_ts) &&
-       (!inst->updated_timestamps ||
+       (!inst->updated_timestamps || (valid_packet && !inst->valid_rx) ||
         UTI_CompareNtp64(&inst->remote_ntp_tx, &message->transmit_ts) < 0))) {
     inst->remote_ntp_rx = message->receive_ts;
     inst->remote_ntp_tx = message->transmit_ts;