On Tue, Nov 28, 2017 at 01:18:37PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > Don't leak the kernel pointer to userspace by adding a random seed. If
> > you want a unique conntrack ID, used the new CTA_ID64 attribute.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > net/netfilter/nf_conntrack_netlink.c | 15 +++++++++++++--
> > 1 file changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 7aecb8ae5ecc..9a3357eeecdc 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -60,6 +60,7 @@
> > MODULE_LICENSE("GPL");
> >
> > static char __initdata version[] = "0.93";
> > +static u32 nf_ct_seed __read_mostly;
> >
> > static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
> > const struct nf_conntrack_tuple *tuple,
> > @@ -444,9 +445,19 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
> > return -1;
> > }
> >
> > +static u32 nf_ct_id32(const struct nf_conn *ct)
> > +{
> > + u32 id = (u32)(unsigned long)ct;
> > +
> > + if (!nf_ct_seed)
> > + nf_ct_seed = get_random_u32();
> > +
> > + return id + nf_ct_seed;
> > +}
>
> If we have the 64bit id, why not use it instead of ct address?
What part of the 64bit would you take? The upper 32-bits are likely to
move not very often with the approach this patchset describes. The
lower 32-bits will bump quickly, but will likely overlap with the same
ID in other CPU.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
