Sophie: ntp-4.2.6p5-24.7.mga5 src

ntp-4.2.6p5-24.7.mga5.src.rpm

commit aa44b5835d69d8ee031736bb8ee2730a514edb7d
Author:  <jnperlin@hydra.localnet>
Date:   Sun Oct 11 08:10:20 2015 +0200

    [Bug 2941] NAK to the Future: Symmetric association authentication bypass via crypto-NAK

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 44f66ef..c8ee280 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1133,6 +1133,24 @@ receive(
 				sys_restricted++;
 				return;
 			}
+			/* [Bug 2941]
+			 * If we got here, the packet isn't part of an
+			 * existing association, it isn't correctly
+			 * authenticated, and it didn't meet either of
+			 * the previous two special cases so we should
+			 * just drop it on the floor.  For example,
+			 * crypto-NAKs (is_authentic == AUTH_CRYPTO)
+			 * will make it this far.  This is just
+			 * debug-printed and not logged to avoid log
+			 * flooding.
+			 */
+			DPRINTF(1, ("receive: at %ld refusing to mobilize passive association"
+				    " with unknown peer %s mode %d keyid %08x len %d auth %d\n",
+				    current_time, stoa(&rbufp->recv_srcadr),
+				    hismode, skeyid, (authlen + has_mac),
+				    is_authentic));
+			sys_declined++;
+			return;
 		}
 
 		/*