diff options
| author | Antonio Messina <amessina@google.com> | 2019-12-19 15:08:03 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-04 19:18:49 +0100 |
| commit | ff4839120cbe24c2cbf4339b17771c7140e81720 (patch) | |
| tree | 37f0348bd61ed3e952b230bc8bacdbcd78b57299 | |
| parent | 4c5fa9d3c87497e5f753ae48f692e84e8a732e9b (diff) | |
| download | linux-stable-ff4839120cbe24c2cbf4339b17771c7140e81720.tar.gz linux-stable-ff4839120cbe24c2cbf4339b17771c7140e81720.tar.bz2 linux-stable-ff4839120cbe24c2cbf4339b17771c7140e81720.zip | |
udp: fix integer overflow while computing available space in sk_rcvbuf
[ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ]
When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.
When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.
This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.
Signed-off-by: Antonio Messina <amessina@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/ipv4/udp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 447defbfccdd..7aa4e77161f6 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) * queue contains some other skb */ rmem = atomic_add_return(size, &sk->sk_rmem_alloc); - if (rmem > (size + sk->sk_rcvbuf)) + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) goto uncharge_drop; spin_lock(&list->lock); |