DPDK ip_frag security analyis

Stephen Hemminger stephen at networkplumber.org
Thu Apr 9 22:10:44 CEST 2026

Previous message (by thread): DPDK ip_frag security analyis
Next message (by thread): DTS Working Group Meeting Minutes - April 9, 2026
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Apr 2026 13:04:52 +0000
Konstantin Ananyev <konstantin.ananyev at huawei.com> wrote:

> >    Fix: use TAILQ_FOREACH_SAFE, or save TAILQ_NEXT(fp, lru) before
> >    calling ip_frag_tbl_del().  
> 
> ACK, that looks like a valid one to me.

I sent patch for that one:
https://patchwork.dpdk.org/project/dpdk/patch/20260408161947.285185-2-stephen@networkplumber.org/

> > 6. Hash collision DoS via fixed seed
> > 
> >    Both ipv4_frag_hash() and ipv6_frag_hash() use CRC32 (x86/ARM)
> >    or jhash with a fixed, publicly known prime seed (0xeaad8405).
> >    An attacker who can send crafted IP fragments can precompute hash
> >    collisions, causing all fragments to land in the same bucket.
> >    After bucket_entries concurrent flows collide, new flows are
> >    dropped.
> > 
> >    Fix: randomize the hash seed at table creation time.  
> 
> ACK, seems valid - needs to be fixed.

Sent patch for that one:
https://patchwork.dpdk.org/project/dpdk/patch/20260408161947.285185-3-stephen@networkplumber.org/

Probably should go to a better hash function to be really paranoid.
Linux and BSD switched over to siphash because of this.

Previous message (by thread): DPDK ip_frag security analyis
Next message (by thread): DTS Working Group Meeting Minutes - April 9, 2026
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list