aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2007-03-23 14:40:27 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-04-26 01:28:06 -0400
commitb3da2cf37c5c6e47698957a25ab43a7223dbb90f (patch)
treee8892392aaf7e3d3544ede23c21791e2317b177d /net
parentd30045a0bcf144753869175dd9d840f7ceaf4aba (diff)
[INET]: Use jhash + random secret for ehash.
The days are gone when this was not an issue, there are folks out there with huge bot networks that can be used to attack the established hash tables on remote systems. So just like the routing cache and connection tracking hash, use Jenkins hash with random secret input. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/af_inet.c16
-rw-r--r--net/ipv6/af_inet6.c5
2 files changed, 21 insertions, 0 deletions
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index f011390f19c..b7b7278d801 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -87,6 +87,7 @@
87#include <linux/init.h> 87#include <linux/init.h>
88#include <linux/poll.h> 88#include <linux/poll.h>
89#include <linux/netfilter_ipv4.h> 89#include <linux/netfilter_ipv4.h>
90#include <linux/random.h>
90 91
91#include <asm/uaccess.h> 92#include <asm/uaccess.h>
92#include <asm/system.h> 93#include <asm/system.h>
@@ -217,6 +218,16 @@ out:
217 return err; 218 return err;
218} 219}
219 220
221u32 inet_ehash_secret;
222EXPORT_SYMBOL(inet_ehash_secret);
223
224void build_ehash_secret(void)
225{
226 while (!inet_ehash_secret)
227 get_random_bytes(&inet_ehash_secret, 4);
228}
229EXPORT_SYMBOL(build_ehash_secret);
230
220/* 231/*
221 * Create an inet socket. 232 * Create an inet socket.
222 */ 233 */
@@ -233,6 +244,11 @@ static int inet_create(struct socket *sock, int protocol)
233 int try_loading_module = 0; 244 int try_loading_module = 0;
234 int err; 245 int err;
235 246
247 if (sock->type != SOCK_RAW &&
248 sock->type != SOCK_DGRAM &&
249 !inet_ehash_secret)
250 build_ehash_secret();
251
236 sock->state = SS_UNCONNECTED; 252 sock->state = SS_UNCONNECTED;
237 253
238 /* Look for the requested type/protocol pair. */ 254 /* Look for the requested type/protocol pair. */
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 82572b50754..df31cdd33cd 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -98,6 +98,11 @@ static int inet6_create(struct socket *sock, int protocol)
98 int try_loading_module = 0; 98 int try_loading_module = 0;
99 int err; 99 int err;
100 100
101 if (sock->type != SOCK_RAW &&
102 sock->type != SOCK_DGRAM &&
103 !inet_ehash_secret)
104 build_ehash_secret();
105
101 /* Look for the requested type/protocol pair. */ 106 /* Look for the requested type/protocol pair. */
102 answer = NULL; 107 answer = NULL;
103lookup_protocol: 108lookup_protocol: