ipv6: make fragment identifications less predictable, CVE-2011-2699
authorAndy Whitcroft <apw@canonical.com>
Tue, 23 Aug 2011 14:58:32 +0000 (15:58 +0100)
committerTim Gardner <tim.gardner@canonical.com>
Tue, 23 Aug 2011 18:29:39 +0000 (12:29 -0600)
commit9293da4fdc38cacfa205854fd48a64d7370da442
tree0ef55ca7527f219d14d2b6ffb788275460667c41
parent2fcabd97270a02123c609fbf1c2afb52bb3786f3
ipv6: make fragment identifications less predictable, CVE-2011-2699

[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]

Fernando Gont reported current IPv6 fragment identification generation
was not secure, because using a very predictable system-wide generator,
allowing various attacks.

IPv4 uses inetpeer cache to address this problem and to get good
performance. We'll use this mechanism when IPv6 inetpeer is stable
enough in linux-3.1

For the time being, we use jhash on destination address to provide less
predictable identifications. Also remove a spinlock and use cmpxchg() to
get better SMP performance.

Reported-by: Fernando Gont <fernando@gont.com.ar>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
CVE-2011-2699
BugLink: http://bugs.launchpad.net/bugs/827685
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
include/net/ipv6.h
include/net/transp_v6.h
net/ipv6/af_inet6.c
net/ipv6/ip6_output.c
net/ipv6/udp.c