git.ipfire.org Git - people/ms/linux.git/commit

author	Eric Dumazet <eric.dumazet@gmail.com>
	Tue, 9 Aug 2011 06:44:00 +0000 (23:44 -0700)
committer	Willy Tarreau <w@1wt.eu>
	Mon, 10 Jun 2013 09:43:37 +0000 (11:43 +0200)
commit	c023a0b45bb91bce7bf3300518592f07fcd35244
tree	3bf5739f813f09a31c68ccb1149bcb95bc69bc61	tree
parent	b1a1c38d6d1860584ec828b798276fffd2b7eadc	commit \| diff

ipv6: make fragment identifications less predictable

[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]

Fernando Gont reported current IPv6 fragment identification generation
was not secure, because using a very predictable system-wide generator,
allowing various attacks.

IPv4 uses inetpeer cache to address this problem and to get good
performance. We'll use this mechanism when IPv6 inetpeer is stable
enough in linux-3.1

For the time being, we use jhash on destination address to provide less
predictable identifications. Also remove a spinlock and use cmpxchg() to
get better SMP performance.

Reported-by: Fernando Gont <fernando@gont.com.ar>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[bwh: Backport further to 2.6.32]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>

include/net/ipv6.h		diff \| blob \| blame \| history
include/net/transp_v6.h		diff \| blob \| blame \| history
net/ipv6/af_inet6.c		diff \| blob \| blame \| history
net/ipv6/ip6_output.c		diff \| blob \| blame \| history
net/ipv6/udp.c		diff \| blob \| blame \| history