Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / ef81bb40bf15f350fe865f31fa42f1082772a576
commitef81bb40bf15f350fe865f31fa42f1082772a576[log] [tgz]
authorEric Dumazet <eric.dumazet@gmail.com>Mon Aug 08 23:44:00 2011 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>Mon Aug 15 18:31:37 2011 -0700
treef89c3e9616127d234207a84e108bf147cc393215
parenteb473dd5ad8785d35142966cdcd6896d8dff5a22 [diff]
ipv6: make fragment identifications less predictable

[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]

Fernando Gont reported current IPv6 fragment identification generation
was not secure, because using a very predictable system-wide generator,
allowing various attacks.

IPv4 uses inetpeer cache to address this problem and to get good
performance. We'll use this mechanism when IPv6 inetpeer is stable
enough in linux-3.1

For the time being, we use jhash on destination address to provide less
predictable identifications. Also remove a spinlock and use cmpxchg() to
get better SMP performance.

Reported-by: Fernando Gont <fernando@gont.com.ar>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
5 files changed
tree: f89c3e9616127d234207a84e108bf147cc393215
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS