Re: DPDK ip_frag security analyis

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: Konstantin Ananyev <konstantin.ananyev@huawei.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: DPDK ip_frag security analyis
Date: Thu, 9 Apr 2026 13:10:44 -0700	[thread overview]
Message-ID: <20260409131044.242b8b2d@phoenix.local> (raw)
In-Reply-To: <282c899d27cb40b292d199c7490f3ede@huawei.com>

On Thu, 9 Apr 2026 13:04:52 +0000
Konstantin Ananyev <konstantin.ananyev@huawei.com> wrote:

> >    Fix: use TAILQ_FOREACH_SAFE, or save TAILQ_NEXT(fp, lru) before
> >    calling ip_frag_tbl_del().  
> 
> ACK, that looks like a valid one to me.

I sent patch for that one:
https://patchwork.dpdk.org/project/dpdk/patch/20260408161947.285185-2-stephen@networkplumber.org/

> > 6. Hash collision DoS via fixed seed
> > 
> >    Both ipv4_frag_hash() and ipv6_frag_hash() use CRC32 (x86/ARM)
> >    or jhash with a fixed, publicly known prime seed (0xeaad8405).
> >    An attacker who can send crafted IP fragments can precompute hash
> >    collisions, causing all fragments to land in the same bucket.
> >    After bucket_entries concurrent flows collide, new flows are
> >    dropped.
> > 
> >    Fix: randomize the hash seed at table creation time.  
> 
> ACK, seems valid - needs to be fixed.

Sent patch for that one:
https://patchwork.dpdk.org/project/dpdk/patch/20260408161947.285185-3-stephen@networkplumber.org/

Probably should go to a better hash function to be really paranoid.
Linux and BSD switched over to siphash because of this.

     prev parent reply	other threads:[~2026-04-09 20:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260407172750.34e1aaf0@phoenix.local>
2026-04-09 13:04 ` DPDK ip_frag security analyis Konstantin Ananyev
2026-04-09 20:10   ` Stephen Hemminger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260409131044.242b8b2d@phoenix.local \
    --to=stephen@networkplumber.org \
    --cc=dev@dpdk.org \
    --cc=konstantin.ananyev@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.