Hi, I have a suggestion for the openbsd net security patch. In the function static int tcp_v4_get_port(struct sock *sk, unsigned short snum) there's the code that says: rover = tcp_port_rover; (like 224 on the version of tcp_ipv4.c patched with your patch for rc2 of 2.6.11) I would like to suggest to change it to: get_random_bytes(&rover, sizeof(rover)); no checks around it: that's already been taken care of in the original code.
And for the ipv6 code: diff -uNr tcp_ipv6.c.org tcp_ipv6.c --- tcp_ipv6.c.org 2005-03-04 22:28:53.181183066 +0100 +++ tcp_ipv6.c 2005-03-04 22:32:56.425994913 +0100 @@ -138,8 +138,8 @@ int remaining = (high - low) + 1; int rover; + get_random_bytes(&rover, sizeof(rover)); spin_lock(&tcp_portalloc_lock); - rover = tcp_port_rover; do { rover++; if ((rover < low) || (rover > high)) rover = low; Folkert van Heusden Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden! +------------------------------------------------------------------+ |UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/)| |a try, it brings monitoring logfiles to a different level! See | |http://vanheusden.com/multitail/features.html for a feature list. | +------------------------------------------= www.unixsoftware.nl =-+ Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com!
signature.asc
Description: Digital signature