Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp17923395ybl; Thu, 2 Jan 2020 14:54:17 -0800 (PST) X-Google-Smtp-Source: APXvYqwLeJ76KzSZ6Nx+Hg+L2l9oID/II3Pq52n5u0xTmJlsNTFF+mx7w+zhFsDZuIcTnwe7RPrt X-Received: by 2002:a9d:4706:: with SMTP id a6mr88130871otf.331.1578005657666; Thu, 02 Jan 2020 14:54:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578005657; cv=none; d=google.com; s=arc-20160816; b=EwwymU92qjMdd8atDetiqH++EtlFcr0AYu4RI1833fk8blqRXug2+RZuzAE0U5YKjK +nAPmpbF9SPFqVcJiljQnEEE655GjCCDacQX9NRRv1bU/OMX9Q2NoxcraMwZeFCtjDe9 TJNakoqD6nb3qEnLPFieheDXjwPc5i2ODJBX01isa98128tE5RXKSfp2prBLhPWpdMpO 07iJAQ7Gkd61Cs/Vx/Qpi4z40fUUbwCehJqnAMMs0MRkGpMaUcA453HvbmKS74Q7EPpb kNCexsVzFhUD4vtqHPf/be+c/QF+CDoq7QiMUlRtQqpj5yz5E1kY1L7deoMvYvFLOSXS L24w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aO0japDnwn0ZRxjU6nj1gNjJL9tPR+2dBlPwdGIXgWM=; b=dJe/6C4GdBzwA0sh7f8rm+NwcnC/1qhMEwPTQ9zAMq+gshGO+kW7G5s68e3Hc3r055 tvHwwSg9p+5kFE5wVOtvUG+d4MVbqoJ1gfmjFjeKpTiXZm6lF5+PXVInyU6yRjHhJ5DA VHPbo3VGci34tPpJK/3vpdttuV6bWrhQtC7ralnRmtmbXZzVsJLC7zwlfYN0gcwcu36j LBnl6Z5VBtFzpBa+AW9Y/dPXKpYWlU48LCtqEQp1ci8HKDYxdcg1jcrULWo09TIxRMxv 4Iw0ysp4ggFwCYkuMVvEymlqePY5jPA2D3aLRkCcU1ggWxgDkbWIdYOa5iPvGVJsxnjn U5rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="iVkg/xK3"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v6si29094699ota.19.2020.01.02.14.54.06; Thu, 02 Jan 2020 14:54:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="iVkg/xK3"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729134AbgABWWa (ORCPT + 99 others); Thu, 2 Jan 2020 17:22:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:42816 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727800AbgABWWW (ORCPT ); Thu, 2 Jan 2020 17:22:22 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 18B2520863; Thu, 2 Jan 2020 22:22:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003742; bh=Wsgxuzfmf8MpLBh4cCjlsXtj18cok1RUznmA3pkYYJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iVkg/xK3xfXrKH0P9f+IS0Frc9VqqmoKtYs3+4u9QsJBuJ3TJAzkcxGP/fEajwe0/ RA5FLTtLwJK796aCkPenUWwNXP7wr1FS4aMTlCu8cxyTiRaNIR88QXirgJfiehipbx 7JF9GS5JNaRuKD2QCYDj7l/ZbUC9HdmOB9tceBvo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antonio Messina , "David S. Miller" Subject: [PATCH 4.19 095/114] udp: fix integer overflow while computing available space in sk_rcvbuf Date: Thu, 2 Jan 2020 23:07:47 +0100 Message-Id: <20200102220038.721516462@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102220029.183913184@linuxfoundation.org> References: <20200102220029.183913184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antonio Messina [ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ] When the size of the receive buffer for a socket is close to 2^31 when computing if we have enough space in the buffer to copy a packet from the queue to the buffer we might hit an integer overflow. When an user set net.core.rmem_default to a value close to 2^31 UDP packets are dropped because of this overflow. This can be visible, for instance, with failure to resolve hostnames. This can be fixed by casting sk_rcvbuf (which is an int) to unsigned int, similarly to how it is done in TCP. Signed-off-by: Antonio Messina Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/udp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1412,7 +1412,7 @@ int __udp_enqueue_schedule_skb(struct so * queue contains some other skb */ rmem = atomic_add_return(size, &sk->sk_rmem_alloc); - if (rmem > (size + sk->sk_rcvbuf)) + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) goto uncharge_drop; spin_lock(&list->lock);