| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Aug 2018 21:43:13 -0700 (PDT) From: David Miller <davem@...emloft.net> To: edumazet@...gle.com Cc: netdev@...r.kernel.org, alexandg@...unm.edu, eric.dumazet@...il.com Subject: Re: [PATCH net] ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state From: Eric Dumazet <edumazet@...gle.com> Date: Wed, 22 Aug 2018 13:30:45 -0700 > tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally > to send some control packets. > > 1) RST packets, through tcp_v4_send_reset() > 2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack() > > These packets assert IP_DF, and also use the hashed IP ident generator > to provide an IPv4 ID number. > > Geoff Alexander reported this could be used to build off-path attacks. > > These packets should not be fragmented, since their size is smaller than > IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment, > regardless of inner IPID. > > We really can use zero IPID, to address the flaw, and as a bonus, > avoid a couple of atomic operations in ip_idents_reserve() > > Signed-off-by: Eric Dumazet <edumazet@...gle.com> > Reported-by: Geoff Alexander <alexandg@...unm.edu> > Tested-by: Geoff Alexander <alexandg@...unm.edu> Applied and queued up for -stable.
Powered by blists - more mailing lists