Date: Tue, 14 Aug 2018 17:43:11 +0000 (UTC) From: "Jonathan T. Looney" <jtl@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r337789 - stable/11/sys/netinet Message-ID: <201808141743.w7EHhBKS026883@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jtl Date: Tue Aug 14 17:43:11 2018 New Revision: 337789 URL: https://svnweb.freebsd.org/changeset/base/337789 Log: MFC r337775: Improve hashing of IPv4 fragments. Currently, IPv4 fragments are hashed into buckets based on a 32-bit key which is calculated by (src_ip ^ ip_id) and combined with a random seed. However, because an attacker can control the values of src_ip and ip_id, it is possible to construct an attack which causes very deep chains to form in a given bucket. To ensure more uniform distribution (and lower predictability for an attacker), calculate the hash based on a key which includes all the fields we use to identify a reassembly queue (dst_ip, src_ip, ip_id, and the ip protocol) as well as a random seed. Security: FreeBSD-SA-18:10.ip Security: CVE-2018-6923 Modified: stable/11/sys/netinet/ip_reass.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/ip_reass.c ============================================================================== --- stable/11/sys/netinet/ip_reass.c Tue Aug 14 17:36:21 2018 (r337788) +++ stable/11/sys/netinet/ip_reass.c Tue Aug 14 17:43:11 2018 (r337789) @@ -148,7 +148,7 @@ ip_reass(struct mbuf *m) struct ipqhead *head; int i, hlen, next; u_int8_t ecn, ecn0; - uint32_t hash; + uint32_t hash, hashkey[3]; #ifdef RSS uint32_t rss_hash, rss_type; #endif @@ -202,8 +202,12 @@ ip_reass(struct mbuf *m) m->m_data += hlen; m->m_len -= hlen; - hash = ip->ip_src.s_addr ^ ip->ip_id; - hash = jenkins_hash32(&hash, 1, V_ipq_hashseed) & IPREASS_HMASK; + hashkey[0] = ip->ip_src.s_addr; + hashkey[1] = ip->ip_dst.s_addr; + hashkey[2] = (uint32_t)ip->ip_p << 16; + hashkey[2] += ip->ip_id; + hash = jenkins_hash32(hashkey, nitems(hashkey), V_ipq_hashseed); + hash &= IPREASS_HMASK; head = &V_ipq[hash].head; IPQ_LOCK(hash);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808141743.w7EHhBKS026883>