DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-05 04:25:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add padding to cmdmon requests to prevent amplification attack

Browse Source 
To prevent an attacker using chronyd in an amplification attack, change
the protocol to include padding in request packets so that the largest
possible reply is not larger than the request. Request packets that
don't include this padding are ignored as invalid.

This is an incompatible change in the protocol. Clients from chrony
1.27, 1.28 and 1.29 will receive NULL reply with STT_BADPKTVERSION and
print "Protocol version mismatch". Clients from 1.26 and older will not
receive a reply as it would be larger than the request if it was padded
to be compatible with their protocol.
This commit is contained in:
Miroslav Lichvar
2014-01-24 13:55:15 +01:00
parent 3e23430926
commit dba458d50c
5 changed files with 197 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pktlength.h
View File

@@ -33,6 +33,8 @@
extern int PKL_CommandLength(CMD_Request *r);
extern int PKL_CommandPaddingLength(CMD_Request *r);
extern int PKL_ReplyLength(CMD_Reply *r);
#endif /* GOT_PKTLENGTH_H */