Red Hat Bugzilla – Bug 480137
Improve udp port randomization
Last modified: 2009-05-18 15:37:31 EDT
Current implementation of udp port randomization contains several problems mentioned in upstream commit:
Author: Eric Dumazet <firstname.lastname@example.org>
Date: Wed Oct 8 11:44:17 2008 -0700
udp: Improve port randomization
Current UDP port allocation is suboptimal.
We select the shortest chain to chose a port (out of 512)
that will hash in this shortest chain.
First, it can lead to give not so ramdom ports and ease
give attackers more opportunities to break the system.
Second, it can consume a lot of CPU to scan all table
in order to find the shortest chain.
Third, in some pathological cases we can fail to find
a free port even if they are plenty of them.
This patch zap the search for a short chain and only
use one random seed. Problem of getting long chains
should be addressed in another way, since we can
obtain long chains with non random ports.
We need to integrate those changes from upstream GIT:
9088c560 udp: Improve port randomization
f24d43c0 udp: complete port availability checking
I can confirm that my concern mentioned in comments for bug 458022 are completely solved by these patches.
Note: RHEL-5 kernel needs these changes as well.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Committed in 82.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.