blob: 6fe35e87cdcacef3b1e26155b716e59a9da342cf [file] [log] [blame]
From 74b1f7372de4cb07a4392d872c7d329953a3e963 Mon Sep 17 00:00:00 2001
From: Antonio Messina <>
Date: Thu, 19 Dec 2019 15:08:03 +0100
Subject: [PATCH] udp: fix integer overflow while computing available space in
commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a upstream.
When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.
When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.
This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.
Signed-off-by: Antonio Messina <>
Signed-off-by: David S. Miller <>
Signed-off-by: Paul Gortmaker <>
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 06a806322eb2..e2acad68d9ff 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1470,7 +1470,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
* queue contains some other skb
rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
- if (rmem > (size + sk->sk_rcvbuf))
+ if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
goto uncharge_drop;