Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 311379 Details for
Bug 454566
kernel: randomize udp port allocation
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed backported patch for RHEL-5.3
rhel5u3-UDP-Randomize-port-selection.patch (text/plain), 6.09 KB, created by
Eugene Teo (Security Response)
on 2008-07-09 14:28:09 UTC
(
hide
)
Description:
Proposed backported patch for RHEL-5.3
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2008-07-09 14:28:09 UTC
Size:
6.09 KB
patch
obsolete
>[RHEL5.3 PATCH] BZ#454572 kernel: randomize udp port allocation > >Backport of upstream commit 32c1da70810017a98aa6c431a5494a302b6b9a30 > >This patch causes UDP port allocation to be randomized like TCP. The >earlier code would always choose same port (ie first empty list). > >Implementing this would mitigate CVE-2008-1447 as applied to the glibc >stub resolver. > >Signed-off-by: Eugene Teo <eteo@redhat.com> >--- > include/net/udp.h | 2 - > net/ipv4/udp.c | 64 +++++++++++++++++++++++++++--------------------------- > net/ipv6/udp.c | 60 +++++++++++++++++++++++++++----------------------- > 3 files changed, 65 insertions(+), 61 deletions(-) > >diff --git a/include/net/udp.h b/include/net/udp.h >index dd5e3b6..97fe4b5 100644 >--- a/include/net/udp.h >+++ b/include/net/udp.h >@@ -37,8 +37,6 @@ > extern struct hlist_head udp_hash[UDP_HTABLE_SIZE]; > extern rwlock_t udp_hash_lock; > >-extern int udp_port_rover; >- > static inline int udp_lport_inuse(u16 num) > { > struct sock *sk; >diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c >index 8223397..483b625 100644 >--- a/net/ipv4/udp.c >+++ b/net/ipv4/udp.c >@@ -130,9 +130,6 @@ EXPORT_SYMBOL(sysctl_udp_wmem_min); > atomic_t udp_memory_allocated; > EXPORT_SYMBOL(udp_memory_allocated); > >-/* Shared by v4/v6 udp. */ >-int udp_port_rover; >- > static int udp_v4_get_port(struct sock *sk, unsigned short snum) > { > struct hlist_node *node; >@@ -140,47 +137,51 @@ static int udp_v4_get_port(struct sock *sk, unsigned short snum) > struct inet_sock *inet = inet_sk(sk); > > write_lock_bh(&udp_hash_lock); >- if (snum == 0) { >- int best_size_so_far, best, result, i, low, high; >+ if (!snum) { >+ int i, low, high, remaining; >+ unsigned rover, best, best_size_so_far; > > inet_get_local_port_range(&low, &high); >+ remaining = (high - low) + 1; >+ >+ best_size_so_far = UINT_MAX; >+ best = rover = net_random() % remaining + low; > >- if (udp_port_rover > high || >- udp_port_rover < low) >- udp_port_rover = low; >- best_size_so_far = 32767; >- best = result = udp_port_rover; >- for (i = 0; i < UDP_HTABLE_SIZE; i++, result++) { >+ /* 1st pass: look for empty (or shortest) hash chain */ >+ for (i = 0; i < UDP_HTABLE_SIZE; i++) { > struct hlist_head *list; >- int size; >+ int size = 0; > >- list = &udp_hash[result & (UDP_HTABLE_SIZE - 1)]; >- if (hlist_empty(list)) { >- if (result > high) >- result = low + ((result - low) & >- (UDP_HTABLE_SIZE - 1)); >+ list = &udp_hash[rover & (UDP_HTABLE_SIZE - 1)]; >+ if (hlist_empty(list)) > goto gotit; >- } >- size = 0; >+ > sk_for_each(sk2, node, list) > if (++size >= best_size_so_far) > goto next; > best_size_so_far = size; >- best = result; >- next:; >+ best = rover; >+ next: >+ /* fold back if end of range */ >+ if (++rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- result = best; >- for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) { >- if (result > high) >- result = low + ((result - low) & >- (UDP_HTABLE_SIZE - 1)); >- if (!udp_lport_inuse(result)) >- break; >+ /* 2nd pass: find hole in shortest hash chain */ >+ rover = best; >+ for (i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++) { >+ if (!udp_lport_inuse(rover)) >+ goto gotit; >+ rover += UDP_HTABLE_SIZE; >+ if (rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- if (i >= (1 << 16) / UDP_HTABLE_SIZE) >- goto fail; >+ /* All ports in use! */ >+ goto fail; >+ > gotit: >- udp_port_rover = snum = result; >+ snum = rover; > } else { > sk_for_each(sk2, node, > &udp_hash[snum & (UDP_HTABLE_SIZE - 1)]) { >@@ -1638,7 +1639,6 @@ EXPORT_SYMBOL(udp_disconnect); > EXPORT_SYMBOL(udp_hash); > EXPORT_SYMBOL(udp_hash_lock); > EXPORT_SYMBOL(udp_ioctl); >-EXPORT_SYMBOL(udp_port_rover); > EXPORT_SYMBOL(udp_prot); > EXPORT_SYMBOL(udp_sendmsg); > EXPORT_SYMBOL(udp_poll); >diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c >index 56a69b4..ac58df5 100644 >--- a/net/ipv6/udp.c >+++ b/net/ipv6/udp.c >@@ -70,45 +70,51 @@ static int udp_v6_get_port(struct sock *sk, unsigned short snum) > struct hlist_node *node; > > write_lock_bh(&udp_hash_lock); >- if (snum == 0) { >- int best_size_so_far, best, result, i, low, high; >+ if (!snum) { >+ int i, low, high, remaining; >+ unsigned rover, best, best_size_so_far; > > inet_get_local_port_range(&low, &high); >- if (udp_port_rover > high || udp_port_rover < low) >- udp_port_rover = low; >- best_size_so_far = 32767; >- best = result = udp_port_rover; >- for (i = 0; i < UDP_HTABLE_SIZE; i++, result++) { >- int size; >+ remaining = (high - low) + 1; >+ >+ best_size_so_far = UINT_MAX; >+ best = rover = net_random() % remaining + low; >+ >+ /* 1st pass: look for empty (or shortest) hash chain */ >+ for (i = 0; i < UDP_HTABLE_SIZE; i++) { >+ int size = 0; > struct hlist_head *list; > >- list = &udp_hash[result & (UDP_HTABLE_SIZE - 1)]; >- if (hlist_empty(list)) { >- if (result > high) >- result = low + ((result - low) & >- (UDP_HTABLE_SIZE - 1)); >+ list = &udp_hash[rover & (UDP_HTABLE_SIZE - 1)]; >+ if (hlist_empty(list)) > goto gotit; >- } >- size = 0; >+ > sk_for_each(sk2, node, list) > if (++size >= best_size_so_far) > goto next; > best_size_so_far = size; >- best = result; >- next:; >+ best = rover; >+ next: >+ /* fold back if end of range */ >+ if (++rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- result = best; >- for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) { >- if (result > high) >- result = low + ((result - low) & >- (UDP_HTABLE_SIZE - 1)); >- if (!udp_lport_inuse(result)) >- break; >+ /* 2nd pass: find hole in shortest hash chain */ >+ rover = best; >+ for (i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++) { >+ if (!udp_lport_inuse(rover)) >+ goto gotit; >+ rover += UDP_HTABLE_SIZE; >+ if (rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- if (i >= (1 << 16) / UDP_HTABLE_SIZE) >- goto fail; >+ /* All ports in use! */ >+ goto fail; >+ > gotit: >- udp_port_rover = snum = result; >+ snum = rover; > } else { > sk_for_each(sk2, node, > &udp_hash[snum & (UDP_HTABLE_SIZE - 1)]) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=311379">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 454566
:
311378
| 311379 |
311434
|
311435