| From 74b1f7372de4cb07a4392d872c7d329953a3e963 Mon Sep 17 00:00:00 2001 |
| From: Antonio Messina <amessina@google.com> |
| Date: Thu, 19 Dec 2019 15:08:03 +0100 |
| Subject: [PATCH] udp: fix integer overflow while computing available space in |
| sk_rcvbuf |
| |
| commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a upstream. |
| |
| When the size of the receive buffer for a socket is close to 2^31 when |
| computing if we have enough space in the buffer to copy a packet from |
| the queue to the buffer we might hit an integer overflow. |
| |
| When an user set net.core.rmem_default to a value close to 2^31 UDP |
| packets are dropped because of this overflow. This can be visible, for |
| instance, with failure to resolve hostnames. |
| |
| This can be fixed by casting sk_rcvbuf (which is an int) to unsigned |
| int, similarly to how it is done in TCP. |
| |
| Signed-off-by: Antonio Messina <amessina@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c |
| index 06a806322eb2..e2acad68d9ff 100644 |
| --- a/net/ipv4/udp.c |
| +++ b/net/ipv4/udp.c |
| @@ -1470,7 +1470,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) |
| * queue contains some other skb |
| */ |
| rmem = atomic_add_return(size, &sk->sk_rmem_alloc); |
| - if (rmem > (size + sk->sk_rcvbuf)) |
| + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) |
| goto uncharge_drop; |
| |
| spin_lock(&list->lock); |
| -- |
| 2.7.4 |
| |