svn commit: r337775 - head/sys/netinet

[Jonathan T. Looney]

Author: jtl
Date: Tue Aug 14 17:15:47 2018
New Revision: 337775
URL: https://svnweb.freebsd.org/changeset/base/337775

Log:
  Improve hashing of IPv4 fragments.
  
  Currently, IPv4 fragments are hashed into buckets based on a 32-bit
  key which is calculated by (src_ip ^ ip_id) and combined with a random
  seed. However, because an attacker can control the values of src_ip
  and ip_id, it is possible to construct an attack which causes very
  deep chains to form in a given bucket.
  
  To ensure more uniform distribution (and lower predictability for
  an attacker), calculate the hash based on a key which includes all
  the fields we use to identify a reassembly queue (dst_ip, src_ip,
  ip_id, and the ip protocol) as well as a random seed.
  
  Reviewed by:	jhb
  Security:	FreeBSD-SA-18:10.ip
  Security:	CVE-2018-6923

Modified:
  head/sys/netinet/ip_reass.c

Modified: head/sys/netinet/ip_reass.c
==============================================================================
--- head/sys/netinet/ip_reass.c	Tue Aug 14 17:14:33 2018	(r337774)
+++ head/sys/netinet/ip_reass.c	Tue Aug 14 17:15:47 2018	(r337775)
@@ -148,7 +148,7 @@ ip_reass(struct mbuf *m)
 	struct ipqhead *head;
 	int i, hlen, next;
 	u_int8_t ecn, ecn0;
-	uint32_t hash;
+	uint32_t hash, hashkey[3];
 #ifdef	RSS
 	uint32_t rss_hash, rss_type;
 #endif
@@ -202,8 +202,12 @@ ip_reass(struct mbuf *m)
 	m->m_data += hlen;
 	m->m_len -= hlen;
 
-	hash = ip->ip_src.s_addr ^ ip->ip_id;
-	hash = jenkins_hash32(&hash, 1, V_ipq_hashseed) & IPREASS_HMASK;
+	hashkey[0] = ip->ip_src.s_addr;
+	hashkey[1] = ip->ip_dst.s_addr;
+	hashkey[2] = (uint32_t)ip->ip_p << 16;
+	hashkey[2] += ip->ip_id;
+	hash = jenkins_hash32(hashkey, nitems(hashkey), V_ipq_hashseed);
+	hash &= IPREASS_HMASK;
 	head = &V_ipq[hash].head;
 	IPQ_LOCK(hash);