Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 311434 Details for
Bug 454566
kernel: randomize udp port allocation
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed backported patch for RHEL-2.1
rhel2u1-UDP-Randomize-port-selection.patch (text/plain), 6.91 KB, created by
Eugene Teo (Security Response)
on 2008-07-10 02:28:11 UTC
(
hide
)
Description:
Proposed backported patch for RHEL-2.1
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2008-07-10 02:28:11 UTC
Size:
6.91 KB
patch
obsolete
>[RHEL2.1 PATCH] BZ#454567 kernel: randomize udp port allocation > >This is for Bugzilla bug #454567. > >Backport of upstream commit 32c1da70810017a98aa6c431a5494a302b6b9a30 > >This patch causes UDP port allocation to be randomized like TCP. The >earlier code would always choose same port (ie first empty list). > >Implementing this would mitigate CVE-2008-1447 as applied to the glibc >stub resolver. > >Signed-off-by: Eugene Teo <eteo@redhat.com> >--- > include/net/udp.h | 2 - > net/ipv4/udp.c | 67 ++++++++++++++++++++++++++---------------------------- > net/ipv6/udp.c | 64 ++++++++++++++++++++++++++------------------------- > net/netsyms.c | 2 - > 4 files changed, 66 insertions(+), 69 deletions(-) > >diff -Naur linux.default/include/net/udp.h linux/include/net/udp.h >--- linux.default/include/net/udp.h 2001-08-16 05:26:33.000000000 +0800 >+++ linux/include/net/udp.h 2008-07-10 08:22:27.000000000 +0800 >@@ -34,8 +34,6 @@ > extern struct sock *udp_hash[UDP_HTABLE_SIZE]; > extern rwlock_t udp_hash_lock; > >-extern int udp_port_rover; >- > static inline int udp_lport_inuse(u16 num) > { > struct sock *sk = udp_hash[num & (UDP_HTABLE_SIZE - 1)]; >diff -Naur linux.default/net/ipv4/udp.c linux/net/ipv4/udp.c >--- linux.default/net/ipv4/udp.c 2008-07-09 23:24:48.000000000 +0800 >+++ linux/net/ipv4/udp.c 2008-07-10 08:18:54.000000000 +0800 >@@ -103,54 +103,53 @@ > struct sock *udp_hash[UDP_HTABLE_SIZE]; > rwlock_t udp_hash_lock = RW_LOCK_UNLOCKED; > >-/* Shared by v4/v6 udp. */ >-int udp_port_rover; >- > static int udp_v4_get_port(struct sock *sk, unsigned short snum) > { > write_lock_bh(&udp_hash_lock); >- if (snum == 0) { >- int best_size_so_far, best, result, i; >+ if (!snum) { >+ int i, remaining; >+ int low = sysctl_local_port_range[0]; >+ int high = sysctl_local_port_range[1]; >+ unsigned rover, best, best_size_so_far; >+ >+ remaining = (high - low) + 1; >+ best_size_so_far = UINT_MAX; >+ best = rover = net_random() % remaining + low; > >- if (udp_port_rover > sysctl_local_port_range[1] || >- udp_port_rover < sysctl_local_port_range[0]) >- udp_port_rover = sysctl_local_port_range[0]; >- best_size_so_far = 32767; >- best = result = udp_port_rover; >- for (i = 0; i < UDP_HTABLE_SIZE; i++, result++) { >+ /* 1st pass: look for empty (or shortest) hash chain */ >+ for (i = 0; i < UDP_HTABLE_SIZE; i++) { > struct sock *sk; >- int size; >+ int size = 0; > >- sk = udp_hash[result & (UDP_HTABLE_SIZE - 1)]; >- if (!sk) { >- if (result > sysctl_local_port_range[1]) >- result = sysctl_local_port_range[0] + >- ((result - sysctl_local_port_range[0]) & >- (UDP_HTABLE_SIZE - 1)); >+ sk = udp_hash[rover & (UDP_HTABLE_SIZE - 1)]; >+ if (!sk) > goto gotit; >- } >- size = 0; > do { > if (++size >= best_size_so_far) > goto next; > } while ((sk = sk->next) != NULL); > best_size_so_far = size; >- best = result; >- next:; >- } >- result = best; >- for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) { >- if (result > sysctl_local_port_range[1]) >- result = sysctl_local_port_range[0] >- + ((result - sysctl_local_port_range[0]) & >- (UDP_HTABLE_SIZE - 1)); >- if (!udp_lport_inuse(result)) >- break; >+ best = rover; >+ next: >+ /* fold back if end of range */ >+ if (++rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); >+ } >+ /* 2nd pass: find hole in shortest hash chain */ >+ rover = best; >+ for (i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++) { >+ if (!udp_lport_inuse(rover)) >+ goto gotit; >+ rover += UDP_HTABLE_SIZE; >+ if (rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- if (i >= (1 << 16) / UDP_HTABLE_SIZE) >- goto fail; >+ /* All ports in use! */ >+ goto fail; > gotit: >- udp_port_rover = snum = result; >+ snum = rover; > } else { > struct sock *sk2; > >diff -Naur linux.default/net/ipv6/udp.c linux/net/ipv6/udp.c >--- linux.default/net/ipv6/udp.c 2008-07-09 23:24:48.000000000 +0800 >+++ linux/net/ipv6/udp.c 2008-07-10 08:22:04.000000000 +0800 >@@ -56,48 +56,50 @@ > static int udp_v6_get_port(struct sock *sk, unsigned short snum) > { > write_lock_bh(&udp_hash_lock); >- if (snum == 0) { >- int best_size_so_far, best, result, i; >+ if (!snum) { >+ int i, remaining; >+ int low = sysctl_local_port_range[0]; >+ int high = sysctl_local_port_range[1]; >+ unsigned rover, best, best_size_so_far; >+ >+ remaining = (high - low) + 1; >+ best_size_so_far = UINT_MAX; >+ best = rover = net_random() % remaining + low; > >- if (udp_port_rover > sysctl_local_port_range[1] || >- udp_port_rover < sysctl_local_port_range[0]) >- udp_port_rover = sysctl_local_port_range[0]; >- best_size_so_far = 32767; >- best = result = udp_port_rover; >- for (i = 0; i < UDP_HTABLE_SIZE; i++, result++) { >+ /* 1st pass: look for empty (or shortest) hash chain */ >+ for (i = 0; i < UDP_HTABLE_SIZE; i++) { > struct sock *sk; >- int size; >+ int size = 0; > >- sk = udp_hash[result & (UDP_HTABLE_SIZE - 1)]; >- if (!sk) { >- if (result > sysctl_local_port_range[1]) >- result = sysctl_local_port_range[0] + >- ((result - sysctl_local_port_range[0]) & >- (UDP_HTABLE_SIZE - 1)); >+ sk = udp_hash[rover & (UDP_HTABLE_SIZE - 1)]; >+ if (!sk) > goto gotit; >- } >- size = 0; > do { > if (++size >= best_size_so_far) > goto next; > } while ((sk = sk->next) != NULL); > best_size_so_far = size; >- best = result; >- next:; >- } >- result = best; >- for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) { >- if (result > sysctl_local_port_range[1]) >- result = sysctl_local_port_range[0] >- + ((result - sysctl_local_port_range[0]) & >- (UDP_HTABLE_SIZE - 1)); >- if (!udp_lport_inuse(result)) >- break; >+ best = rover; >+ next: >+ /* fold back if end of range */ >+ if (++rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); >+ } >+ /* 2nd pass: find hole in shortest hash chain */ >+ rover = best; >+ for (i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++) { >+ if (!udp_lport_inuse(rover)) >+ goto gotit; >+ rover += UDP_HTABLE_SIZE; >+ if (rover > high) >+ rover = low + ((rover - low) >+ & (UDP_HTABLE_SIZE - 1)); > } >- if (i >= (1 << 16) / UDP_HTABLE_SIZE) >- goto fail; >+ /* All ports in use! */ >+ goto fail; > gotit: >- udp_port_rover = snum = result; >+ snum = rover; > } else { > struct sock *sk2; > int addr_type = ipv6_addr_type(&sk->net_pinfo.af_inet6.rcv_saddr); >diff -Naur linux.default/net/netsyms.c linux/net/netsyms.c >--- linux.default/net/netsyms.c 2008-07-09 23:24:42.000000000 +0800 >+++ linux/net/netsyms.c 2008-07-10 08:22:22.000000000 +0800 >@@ -66,7 +66,6 @@ > > extern int sysctl_local_port_range[2]; > extern int tcp_port_rover; >-extern int udp_port_rover; > #endif > > #endif >@@ -376,7 +375,6 @@ > EXPORT_SYMBOL(tcp_reset_keepalive_timer); > EXPORT_SYMBOL(sysctl_local_port_range); > EXPORT_SYMBOL(tcp_port_rover); >-EXPORT_SYMBOL(udp_port_rover); > EXPORT_SYMBOL(tcp_sync_mss); > EXPORT_SYMBOL(net_statistics); > EXPORT_SYMBOL(__tcp_mem_reclaim);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 454566
:
311378
|
311379
| 311434 |
311435