On Tue, 28 Sep 1999, Sebastian wrote: > A lot of people wrote to us and said that the typo where &secret[3] was > meant but &secret+3 was written within the kernel code was the cause for > this bug. > > In our tests, however, we applied nothing but this one-line patch and we > still experienced small-difference ISN's (stealth tested this, but I > believe in his skills :-). Right. Andrea Arcangeli proposed this change on the kernel mailing list, but it wasn't the patch that actually got applied in 2.3.13pre13. This is the patch which I believe is intended to fix the easily-guessable sequence numbers: --- linux.vanilla/net/ipv4/tcp_ipv4.c Sat Aug 28 20:00:59 1999 +++ linux.13p13/net/ipv4/tcp_ipv4.c Sun Sep 26 23:25:18 1999 @@ -525,7 +525,8 @@ static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb) { - return secure_tcp_sequence_number(sk->saddr, sk->daddr, + return secure_tcp_sequence_number(skb->nh.iph->daddr, + skb->nh.iph->saddr, skb->h.th->dest, skb->h.th->source); } If I understand correctly, the bug was that the sequence number initialization erroneously didn't use the remote's IP address. Jeremy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:48 PDT