Hi,
I have a suggestion for the openbsd net security patch.
In the function static int tcp_v4_get_port(struct sock *sk, unsigned short snum)
there's the code that says:
rover = tcp_port_rover;
(like 224 on the version of tcp_ipv4.c patched with your patch for rc2 of 2.6.11)
I would like to suggest to change it to:
get_random_bytes(&rover, sizeof(rover));
no checks around it: that's already been taken care of in the original
code.
And for the ipv6 code:
diff -uNr tcp_ipv6.c.org tcp_ipv6.c
--- tcp_ipv6.c.org 2005-03-04 22:28:53.181183066 +0100
+++ tcp_ipv6.c 2005-03-04 22:32:56.425994913 +0100
@@ -138,8 +138,8 @@
int remaining = (high - low) + 1;
int rover;
+ get_random_bytes(&rover, sizeof(rover));
spin_lock(&tcp_portalloc_lock);
- rover = tcp_port_rover;
do { rover++;
if ((rover < low) || (rover > high))
rover = low;
Folkert van Heusden
Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden!
+------------------------------------------------------------------+
|UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/)|
|a try, it brings monitoring logfiles to a different level! See |
|http://vanheusden.com/multitail/features.html for a feature list. |
+------------------------------------------= http://www.unixsoftware.nl =-+
Phone: +31-6-41278122, PGP-key: 1F28D8AE
Get your PGP/GPG key signed at http://www.biglumber.com!