search

bshastry / jhash-fuzz

Fuzzing Jenkins hash for collisions
MIT License
0 stars 0 forks source link

Include destination port in checking for collisions #2

Open hashkash opened 4 years ago

hashkash commented 4 years ago

I noticed that the collisions were based on only the source ip and port, however, iiuc, Katran uses the source and destination ports [1] as the second argument to jhash_2words [2]. As I couldn't get this to build and it runs pretty fast, could you please include the destination port as well?

Not sure if the below code suggestion is correct.

if (len != 7) {
       return 0;
}
unsigned port = (
        data[4] << 16 |
        data[5] << 8 |
        data[6]
        );
unsigned h = jhash_2words(sourceIp, port, salt);

[1] https://github.com/facebookincubator/katran/blob/7355f08aba1e174444ea025d2f9bba78c768842a/katran/lib/bpf/balancer_structs.h#L36 [2] https://github.com/facebookincubator/katran/blob/1476600aa4150a9cc04745401f90e34e96ec1fd0/katran/lib/bpf/balancer_kern.c#L31

hashkash commented 4 years ago

The salt value used (33554944) is correct afaiu.

hashkash commented 4 years ago

Perhaps I misunderstood this when I opened the issue so please correct me. I know understand the collision results as follows.

Only the source ip and ports were used as that's attacker controlled. So, the collisions indicate that (sip1, sp1) and (sip2, sp2) will result in a collision? Would this still hold if the destination port is also included in the hash? If not, then, I would suggest to include destination port 80 and 443 to obtain new collisions.

Wdyt?