diff options
author | Antonio Messina <amessina@google.com> | 2019-12-19 17:08:03 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-04 16:00:13 +0300 |
commit | 343f3056b542cf9c64c18c43a764752067887b14 (patch) | |
tree | 272217498afe17614521fcb3270ec935ab0f6fff /net | |
parent | 2dece4d6d13fe179ee3a5991811712725a56e2f7 (diff) | |
download | linux-343f3056b542cf9c64c18c43a764752067887b14.tar.xz |
udp: fix integer overflow while computing available space in sk_rcvbuf
[ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ]
When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.
When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.
This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.
Signed-off-by: Antonio Messina <amessina@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/udp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index ab3f272a0884..e33258d69246 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1338,7 +1338,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) * queue contains some other skb */ rmem = atomic_add_return(size, &sk->sk_rmem_alloc); - if (rmem > (size + sk->sk_rcvbuf)) + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) goto uncharge_drop; spin_lock(&list->lock); |