diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-4954 ntp-4.2.6p5/ntpd/ntp_proto.c --- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-4954 2016-05-26 15:48:33.537091323 +0200 +++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-05-26 16:19:00.442015222 +0200 @@ -1406,6 +1406,20 @@ process_packet( record_raw_stats(&peer->srcadr, peer->dstadr ? &peer->dstadr->sin : NULL, &p_org, &p_rec, &p_xmt, &peer->dst); + + /* + * If any test failed in the receive() routine, the packet is + * discarded. + */ + if (peer->flash & PKT_TEST_MASK) { +#ifdef DEBUG + if (debug) + printf("packet: flash header %04x\n", + peer->flash); +#endif + return; + } + peer->leap = pleap; peer->stratum = min(pstratum, STRATUM_UNSPEC); peer->pmode = pmode; @@ -1442,11 +1456,6 @@ process_packet( if (p_del / 2 + p_disp >= MAXDISPERSE) /* test 7 */ peer->flash |= TEST7; /* bad header */ - /* - * If any tests fail at this point, the packet is discarded. - * Note that some flashers may have already been set in the - * receive() routine. - */ if (peer->flash & PKT_TEST_MASK) { peer->seldisptoolarge++; #ifdef DEBUG