You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@commons.apache.org by se...@apache.org on 2021/11/11 00:26:00 UTC

[commons-net] branch master updated: [NTP] Fix NET-704: NTPUDPClient does not check response packet pairing.

This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git


The following commit(s) were added to refs/heads/master by this push:
     new 1e32f35  [NTP] Fix NET-704: NTPUDPClient does not check response packet pairing.
     new eb0181a  Merge pull request #92 from dzolo/NET-704
1e32f35 is described below

commit 1e32f35c5a1064fbf638e18032f62c8aae4a5b4a
Author: Ondřej Fibich <of...@techniserv.cz>
AuthorDate: Mon Nov 8 07:58:28 2021 +0100

    [NTP] Fix NET-704: NTPUDPClient does not check response packet pairing.
---
 src/main/java/org/apache/commons/net/ntp/NTPUDPClient.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/commons/net/ntp/NTPUDPClient.java b/src/main/java/org/apache/commons/net/ntp/NTPUDPClient.java
index 207dea9..cb0d465 100644
--- a/src/main/java/org/apache/commons/net/ntp/NTPUDPClient.java
+++ b/src/main/java/org/apache/commons/net/ntp/NTPUDPClient.java
@@ -70,7 +70,8 @@ public final class NTPUDPClient extends DatagramSocketClient
      * @param host The address of the server.
      * @param port The port of the service.
      * @return The time value retrieved from the server.
-     * @throws IOException If an error occurs while retrieving the time.
+     * @throws IOException If an error occurs while retrieving the time or if
+     *                     received packet does not match the request.
      */
     public TimeInfo getTime(final InetAddress host, final int port) throws IOException
     {
@@ -106,6 +107,13 @@ public final class NTPUDPClient extends DatagramSocketClient
         _socket_.receive(receivePacket);
 
         final long returnTimeMillis = System.currentTimeMillis();
+
+        // Prevent invalid time information if response does not match request
+        if (!now.equals(recMessage.getOriginateTimeStamp()))
+        {
+            throw new IOException("Originate time does not match the request");
+        }
+
         // create TimeInfo message container but don't pre-compute the details yet
         return new TimeInfo(recMessage, returnTimeMillis, false);
     }