1 files changed, 41 insertions, 0 deletions

diff --git a/main/busybox/0014-ntpd-respond-only-to-client-and-symmetric-active-pac.patch b/main/busybox/0014-ntpd-respond-only-to-client-and-symmetric-active-pac.patch
new file mode 100644
index 000000000..24dc0e890
--- /dev/null
+++ b/main/busybox/0014-ntpd-respond-only-to-client-and-symmetric-active-pac.patch
@@ -0,0 +1,41 @@
+From c87fd50857e07450e8868730293f2af7063d263a Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Mon, 1 Aug 2016 20:24:24 +0200
+Subject: [PATCH 14/15] ntpd: respond only to client and symmetric active
+ packets
+
+The busybox NTP implementation doesn't check the NTP mode of packets
+received on the server port and responds to any packet with the right
+size. This includes responses from another NTP server. An attacker can
+send a packet with a spoofed source address in order to create an
+infinite loop of responses between two busybox NTP servers. Adding
+more packets to the loop increases the traffic between the servers
+until one of them has a fully loaded CPU and/or network.
+
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ networking/ntpd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/networking/ntpd.c b/networking/ntpd.c
+index 7f7d69e..182dd58 100644
+--- a/networking/ntpd.c
++++ b/networking/ntpd.c
+@@ -2042,6 +2042,13 @@ recv_and_process_client_pkt(void /*int fd*/)
+ 		goto bail;
+ 	}
+ 
++	/* Respond only to client and symmetric active packets */
++	if ((msg.m_status & MODE_MASK) != MODE_CLIENT
++	 && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
++	) {
++		goto bail;
++	}
++
+ 	query_status = msg.m_status;
+ 	query_xmttime = msg.m_xmttime;
+ 
+-- 
+2.9.1
+