commit aa44b5835d69d8ee031736bb8ee2730a514edb7d Author: <jnperlin@hydra.localnet> Date: Sun Oct 11 08:10:20 2015 +0200 [Bug 2941] NAK to the Future: Symmetric association authentication bypass via crypto-NAK diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 44f66ef..c8ee280 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1133,6 +1133,24 @@ receive( sys_restricted++; return; } + /* [Bug 2941] + * If we got here, the packet isn't part of an + * existing association, it isn't correctly + * authenticated, and it didn't meet either of + * the previous two special cases so we should + * just drop it on the floor. For example, + * crypto-NAKs (is_authentic == AUTH_CRYPTO) + * will make it this far. This is just + * debug-printed and not logged to avoid log + * flooding. + */ + DPRINTF(1, ("receive: at %ld refusing to mobilize passive association" + " with unknown peer %s mode %d keyid %08x len %d auth %d\n", + current_time, stoa(&rbufp->recv_srcadr), + hismode, skeyid, (authlen + has_mac), + is_authentic)); + sys_declined++; + return; } /*