ipv6: make fragment identifications less predictable, CVE-2011-2699
authorAndy Whitcroft <apw@canonical.com>
Tue, 23 Aug 2011 14:58:32 +0000 (15:58 +0100)
committerHerton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Mon, 29 Aug 2011 19:23:11 +0000 (16:23 -0300)
commit02b08d8d07b1b7591e2fd77ad14d016a4f391bc0
tree1bfd1641e17e56c42bb7ec32e92053918c4566b3
parentf359494abc1f649700d683b6c7f4e88ee597cf94
ipv6: make fragment identifications less predictable, CVE-2011-2699

[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]

Fernando Gont reported current IPv6 fragment identification generation
was not secure, because using a very predictable system-wide generator,
allowing various attacks.

IPv4 uses inetpeer cache to address this problem and to get good
performance. We'll use this mechanism when IPv6 inetpeer is stable
enough in linux-3.1

For the time being, we use jhash on destination address to provide less
predictable identifications. Also remove a spinlock and use cmpxchg() to
get better SMP performance.

Reported-by: Fernando Gont <fernando@gont.com.ar>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
CVE-2011-2699
BugLink: http://bugs.launchpad.net/bugs/827685
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
include/net/ipv6.h
include/net/transp_v6.h
net/ipv6/af_inet6.c
net/ipv6/ip6_output.c
net/ipv6/udp.c