summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAntonio Messina <amessina@google.com>2019-12-19 17:08:03 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-01-04 16:00:13 +0300
commit343f3056b542cf9c64c18c43a764752067887b14 (patch)
tree272217498afe17614521fcb3270ec935ab0f6fff
parent2dece4d6d13fe179ee3a5991811712725a56e2f7 (diff)
downloadlinux-343f3056b542cf9c64c18c43a764752067887b14.tar.xz
udp: fix integer overflow while computing available space in sk_rcvbuf
[ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ] When the size of the receive buffer for a socket is close to 2^31 when computing if we have enough space in the buffer to copy a packet from the queue to the buffer we might hit an integer overflow. When an user set net.core.rmem_default to a value close to 2^31 UDP packets are dropped because of this overflow. This can be visible, for instance, with failure to resolve hostnames. This can be fixed by casting sk_rcvbuf (which is an int) to unsigned int, similarly to how it is done in TCP. Signed-off-by: Antonio Messina <amessina@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/ipv4/udp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ab3f272a0884..e33258d69246 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1338,7 +1338,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
* queue contains some other skb
*/
rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
- if (rmem > (size + sk->sk_rcvbuf))
+ if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
goto uncharge_drop;
spin_lock(&list->lock);