lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120927160054.105f4711@nehalam.linuxnetplumber.net> Date: Thu, 27 Sep 2012 16:00:54 -0700 From: Stephen Hemminger <shemminger@...tta.com> To: David Miller <davem@...emloft.net> Cc: jesse@...ira.com, chrisw@...hat.com, netdev@...r.kernel.org Subject: Re: [PATCHv5 net-next] vxlan: virtual extensible lan On Thu, 27 Sep 2012 18:47:40 -0400 (EDT) David Miller <davem@...emloft.net> wrote: > From: Stephen Hemminger <shemminger@...tta.com> > Date: Tue, 25 Sep 2012 15:09:57 -0700 > > > +/* Hash Ethernet address */ > > +static u32 eth_hash(const unsigned char *addr) > > +{ > > + /* could be optimized for unaligned access */ > > + u32 a = addr[5] << 8 | addr[4]; > > + u32 b = addr[3] << 24 | addr[2] << 16 | addr[1] << 8 | addr[0]; > > + > > + return jhash_2words(a, b, vxlan_salt); > > +} > > + > > +/* Hash chain to use given mac address */ > > +static inline struct hlist_head *vxlan_fdb_head(struct vxlan_dev *vxlan, > > + const u8 *mac) > > +{ > > + return &vxlan->fdb_head[hash_32(eth_hash(mac), FDB_HASH_BITS)]; > > +} > > This hashing is way overkill, and in fact is a mis-use of Jenkins. > > Jenkins can work fine with power-of-two hash sizes, so using hash_32() > on the Jenkins hash result is nothing short of silly. > > I would go one step further and change this to: > > (a ^ b) * vxlan_salt Ok, but doubt that it makes much difference. > > much like how we hash IP addresses in the ipv4 ARP tables. That > function is a universal hash, and therefore provides whatever kind > of protection you're trying to obtain using the salt. > > But I wonder if this matters at all, the administrator controls > the contents of this table, rather than external entitites. The table includes values learned from packets received. Like a bridge, a malicious attacker who can forge MAC sourc addresses can overload one chain by swamping the table with bogus values. Probably needs a table limit. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists