| From foo@baz Wed 01 Jan 2020 10:36:29 PM CET |
| From: Antonio Messina <amessina@google.com> |
| Date: Thu, 19 Dec 2019 15:08:03 +0100 |
| Subject: udp: fix integer overflow while computing available space in sk_rcvbuf |
| |
| From: Antonio Messina <amessina@google.com> |
| |
| [ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ] |
| |
| When the size of the receive buffer for a socket is close to 2^31 when |
| computing if we have enough space in the buffer to copy a packet from |
| the queue to the buffer we might hit an integer overflow. |
| |
| When an user set net.core.rmem_default to a value close to 2^31 UDP |
| packets are dropped because of this overflow. This can be visible, for |
| instance, with failure to resolve hostnames. |
| |
| This can be fixed by casting sk_rcvbuf (which is an int) to unsigned |
| int, similarly to how it is done in TCP. |
| |
| Signed-off-by: Antonio Messina <amessina@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/udp.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/ipv4/udp.c |
| +++ b/net/ipv4/udp.c |
| @@ -1412,7 +1412,7 @@ int __udp_enqueue_schedule_skb(struct so |
| * queue contains some other skb |
| */ |
| rmem = atomic_add_return(size, &sk->sk_rmem_alloc); |
| - if (rmem > (size + sk->sk_rcvbuf)) |
| + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) |
| goto uncharge_drop; |
| |
| spin_lock(&list->lock); |
