Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Aug 2018 17:43:11 +0000 (UTC)
From:      "Jonathan T. Looney" <jtl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r337789 - stable/11/sys/netinet
Message-ID:  <201808141743.w7EHhBKS026883@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jtl
Date: Tue Aug 14 17:43:11 2018
New Revision: 337789
URL: https://svnweb.freebsd.org/changeset/base/337789

Log:
  MFC r337775:
    Improve hashing of IPv4 fragments.
  
    Currently, IPv4 fragments are hashed into buckets based on a 32-bit
    key which is calculated by (src_ip ^ ip_id) and combined with a random
    seed. However, because an attacker can control the values of src_ip
    and ip_id, it is possible to construct an attack which causes very
    deep chains to form in a given bucket.
  
    To ensure more uniform distribution (and lower predictability for
    an attacker), calculate the hash based on a key which includes all
    the fields we use to identify a reassembly queue (dst_ip, src_ip,
    ip_id, and the ip protocol) as well as a random seed.
  
  Security:	FreeBSD-SA-18:10.ip
  Security:	CVE-2018-6923

Modified:
  stable/11/sys/netinet/ip_reass.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/ip_reass.c
==============================================================================
--- stable/11/sys/netinet/ip_reass.c	Tue Aug 14 17:36:21 2018	(r337788)
+++ stable/11/sys/netinet/ip_reass.c	Tue Aug 14 17:43:11 2018	(r337789)
@@ -148,7 +148,7 @@ ip_reass(struct mbuf *m)
 	struct ipqhead *head;
 	int i, hlen, next;
 	u_int8_t ecn, ecn0;
-	uint32_t hash;
+	uint32_t hash, hashkey[3];
 #ifdef	RSS
 	uint32_t rss_hash, rss_type;
 #endif
@@ -202,8 +202,12 @@ ip_reass(struct mbuf *m)
 	m->m_data += hlen;
 	m->m_len -= hlen;
 
-	hash = ip->ip_src.s_addr ^ ip->ip_id;
-	hash = jenkins_hash32(&hash, 1, V_ipq_hashseed) & IPREASS_HMASK;
+	hashkey[0] = ip->ip_src.s_addr;
+	hashkey[1] = ip->ip_dst.s_addr;
+	hashkey[2] = (uint32_t)ip->ip_p << 16;
+	hashkey[2] += ip->ip_id;
+	hash = jenkins_hash32(hashkey, nitems(hashkey), V_ipq_hashseed);
+	hash &= IPREASS_HMASK;
 	head = &V_ipq[hash].head;
 	IPQ_LOCK(hash);
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808141743.w7EHhBKS026883>