NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2670 - receive(): missing return on error
Summary: receive(): missing return on error
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpd (show other bugs)
Version: 4.2.6
Hardware: N/A All
: P2 critical
Assignee: Harlan Stenn
URL:
Depends on:
Blocks: 2655
  Show dependency tree
 
Reported: 2014-11-03 00:37 UTC by Harlan Stenn
Modified: 2023-03-30 10:10 UTC (History)
5 users (show)

See Also:
stenn: blocking4.2.6+
stenn: blocking4.2.8+


Attachments
patch to add the missing return statement (465 bytes, patch)
2014-11-24 15:15 UTC, Stephen Röttger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2014-11-03 00:37:13 UTC
+++ This bug was initially created as a clone of Bug #2655 +++

6) ntpd/ntp_proto.c:946 <receive> (missing return on error)
 fix: add return
Comment 1 Stephen Röttger 2014-11-24 15:15:43 UTC
Created attachment 1160 [details]
patch to add the missing return statement
Comment 2 Harlan Stenn 2014-11-25 06:18:31 UTC
Stephen,

I see that if we fail the test (because of AUTH_ERROR) we fall thru instead of returning, and might mobilize a symmetric passive association.

I'm trying to understand the "danger" level here for a CVNSS score.  Got any suggestions?
Comment 3 Stephen Röttger 2014-11-25 13:43:08 UTC
I think the severity of this is very low.
What it does is, it adds a new peer connection and I tried to abuse this to trigger a different bug. However, all code paths that can be reached from this terminate the connection anyway and will remove the newly created peer association.
Comment 4 Harlan Stenn 2014-11-25 21:05:16 UTC
As long as the connection cannot normally be used to then alter time on
the target, I agree with you.  Or am I missing something?
Comment 5 Harlan Stenn 2014-11-25 21:07:24 UTC
Stephen,

A better question from me is probably: how would you "base score" this
at http://nvd.nist.gov/cvss.cfm?calculator&version=2 ?
Comment 6 Stephen Röttger 2014-11-28 08:49:02 UTC
We can probably skip assigning a CVSS for this. In the current form I don't think it's a security vulnerability, it just has the potential to become one.
Comment 7 Harlan Stenn 2014-12-12 11:28:53 UTC
Fixed in my ntp-dev-sec/ subdir.
Comment 8 Harlan Stenn 2014-12-20 06:09:05 UTC
Fixed in 4.2.8.