commit b3da2cf37c5c6e47698957a25ab43a7223dbb90f
author David S. Miller <davem@davemloft.net> Fri Mar 23 11:40:27 2007 -0700
committer David S. Miller <davem@sunset.davemloft.net> Wed Apr 25 22:28:06 2007 -0700
tree e8892392aaf7e3d3544ede23c21791e2317b177d
parent d30045a0bcf144753869175dd9d840f7ceaf4aba

[INET]: Use jhash + random secret for ehash.

The days are gone when this was not an issue, there are folks out
there with huge bot networks that can be used to attack the
established hash tables on remote systems.

So just like the routing cache and connection tracking
hash, use Jenkins hash with random secret input.

Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/af_inet.c

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index f011390..b7b7278 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -87,6 +87,7 @@
 #include <linux/init.h>
 #include <linux/poll.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/random.h>
 
 #include <asm/uaccess.h>
 #include <asm/system.h>
@@ -217,6 +218,16 @@
 	return err;
 }
 
+u32 inet_ehash_secret;
+EXPORT_SYMBOL(inet_ehash_secret);
+
+void build_ehash_secret(void)
+{
+	while (!inet_ehash_secret)
+		get_random_bytes(&inet_ehash_secret, 4);
+}
+EXPORT_SYMBOL(build_ehash_secret);
+
 /*
  *	Create an inet socket.
  */
@@ -233,6 +244,11 @@
 	int try_loading_module = 0;
 	int err;
 
+	if (sock->type != SOCK_RAW &&
+	    sock->type != SOCK_DGRAM &&
+	    !inet_ehash_secret)
+		build_ehash_secret();
+
 	sock->state = SS_UNCONNECTED;
 
 	/* Look for the requested type/protocol pair. */