On Thu, 9 Apr 2026 13:04:52 +0000 Konstantin Ananyev <[email protected]> wrote:
> > Fix: use TAILQ_FOREACH_SAFE, or save TAILQ_NEXT(fp, lru) before > > calling ip_frag_tbl_del(). > > ACK, that looks like a valid one to me. I sent patch for that one: https://patchwork.dpdk.org/project/dpdk/patch/[email protected]/ > > 6. Hash collision DoS via fixed seed > > > > Both ipv4_frag_hash() and ipv6_frag_hash() use CRC32 (x86/ARM) > > or jhash with a fixed, publicly known prime seed (0xeaad8405). > > An attacker who can send crafted IP fragments can precompute hash > > collisions, causing all fragments to land in the same bucket. > > After bucket_entries concurrent flows collide, new flows are > > dropped. > > > > Fix: randomize the hash seed at table creation time. > > ACK, seems valid - needs to be fixed. Sent patch for that one: https://patchwork.dpdk.org/project/dpdk/patch/[email protected]/ Probably should go to a better hash function to be really paranoid. Linux and BSD switched over to siphash because of this.
