Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID

From: Florian Westphal
Date: Wed Jul 12 2017 - 18:21:15 EST


Richard Weinberger <richard@xxxxxx> wrote:
> Am 01.07.2017 um 12:35 schrieb Florian Westphal:
> > The compare on removal is not needed afaics, and its also not used when
> > doing lookup to begin with, so we can just recompute it?
>
> Isn't this a way too much overhead?

I don't think so. This computation only occurs when we dump events
to userspace.

> I personally favor Pablo's per-cpu counter approach.
> That way the IDs are unique again and we get rid of the info leak without
> much effort.

I have not seen these patches so can't really comment.