grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add some randomness to TCP source port selection.

From: Vladimir 'phcoder' Serbinenko
Subject: Re: [PATCH] Add some randomness to TCP source port selection.
Date: Mon, 6 Jun 2022 19:26:02 +0200


Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> a écrit :
256 is a bad modulo. A prime would be a much better one for those purposes. Also get_time_ms counts up from arbitrary point in time, often boot. I suggest using some combination of etc
RTC, not etc

 and get_time to seed an LFSR algorithm

Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a écrit :
GRUB uses a static source TCP port and increments for each new
connection. When rapidly restarting GRUB this can cause issues with some
firewalls that suspect that a reply attack is happening. In addition
GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
from HTTP for example. This cause the remote HTTP server to keep the TCP
session in TIME_WAIT and reject new connections from the same port
combination when restarted quickly. This helps to work around both
problems by shifting the source port by a small amount based on time.

The missing final ACK should also be addressed, but I'm not sure how to
resolve that.

Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
---
 grub-core/net/tcp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
index 93dee0caa..2eefd3168 100644
--- a/grub-core/net/tcp.c
+++ b/grub-core/net/tcp.c
@@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
   struct grub_net_network_level_interface *inf;
   grub_net_network_level_address_t gateway;
   grub_net_tcp_socket_t socket;
-  static grub_uint16_t in_port = 21550;
+  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
   struct grub_net_buff *nb;
   struct tcphdr *tcph;
   int i;
@@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
   socket->inf = inf;
   socket->out_nla = addr;
   socket->ll_target_addr = ll_target_addr;
-  socket->in_port = in_port++;
+  socket->in_port = in_port;
   socket->recv_hook = recv_hook;
   socket->error_hook = error_hook;
   socket->fin_hook = fin_hook;
--
2.35.1


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]