[PATCH] udp: fix integer overflow while computing available space in sk_rcvbuf

From: Antonio Messina
Date: Thu Dec 19 2019 - 09:08:12 EST

Next message: Stanimir Varbanov: "Re: [PATCH v2 06/12] dt-bindings: media: venus: Convert msm8916 to DT schema"
Previous message: David Laight: "RE: [PATCH 1/2] uapi: split openat2(2) definitions from fcntl.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.

When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.

This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.

Signed-off-by: Antonio Messina <amessina@xxxxxxxxxx>
---
net/ipv4/udp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 4da5758cc718..93a355b6b092 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
* queue contains some other skb
*/
rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
- if (rmem > (size + sk->sk_rcvbuf))
+ if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
goto uncharge_drop;

spin_lock(&list->lock);
--
2.24.1.735.g03f4e72817-goog

Next message: Stanimir Varbanov: "Re: [PATCH v2 06/12] dt-bindings: media: venus: Convert msm8916 to DT schema"
Previous message: David Laight: "RE: [PATCH 1/2] uapi: split openat2(2) definitions from fcntl.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]