Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp17926677ybl; Thu, 2 Jan 2020 14:58:47 -0800 (PST) X-Google-Smtp-Source: APXvYqycm5hkFBSODMkuPeCVXYmFQ3TfT+rdXcWJbv8z15IUWWqSuEW+ITRV6QnoQfOKp2ThH+uH X-Received: by 2002:a9d:65da:: with SMTP id z26mr86746067oth.197.1578005926960; Thu, 02 Jan 2020 14:58:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578005926; cv=none; d=google.com; s=arc-20160816; b=ntDnoDZgaHncY9KNKQvSyneCRpfOhJSebWfEEZyMZwcBMp5P/8JVHsJkMEuUD+UDzf GxHR66/57X+LE5KsgD5Eo35nI2lfqHl00P9Tm7isjFOOazjuXXKaKAe0kK27nypf6lS4 i0zAGGjJLNF4gPtQgQ9DFJVsO2jo6gL1FGymjZ/9E+YX+C4ccYlH9W8icqpSGypAxLCH OGisorNXVxM7UjLg3JfOoXmlUZoUOB1Rj7J2G6+qvQvapoI24/0cCAuN0gw/Bs2gdXeT QG1kcui4qop/rSqxe67SIqB6KQlwyLcUfe+dF1gb64CY7v6FTbSDKFNNV+HeuXF1RSGp /s/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WOhzJw1m8D36NlF6mff7ueF6i17cIEx5SqUJIPYXPDc=; b=uOre2BIk0tGGSx9uF/1eAIQ3e4Zl6vvc1pfdSMeXBlOr7eGZaDI2WKUfHSR7wgpRJB mXjkQ2XQC1i872YMg/RhV9WnXb8m+M2scf/SxxaKXl25XpDSPRsD+xLK40OOrvFdxIKf jWPa14D4n/yw2LlPNGx0TH5wdLst6l0SeAmFiCxytC5XrIKke12rKo5KCM7VWRxyjYtR TPXRIR3ClOP00a5I2XNu9u1/vJrYb+gRkGDkupXd+4p+OGb9hmfFbOy9bctsu226oj+x dl/enaAoII1d1buKRQ1CwU9qV2LpXj1BwyE+VbAj5MlkMhtoDh9EbH+OIegVejrcteGX gNTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="e/okBfdP"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z12si28081157otm.189.2020.01.02.14.58.35; Thu, 02 Jan 2020 14:58:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="e/okBfdP"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729121AbgABW5W (ORCPT + 99 others); Thu, 2 Jan 2020 17:57:22 -0500 Received: from mail.kernel.org ([198.145.29.99]:59448 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728091AbgABWRI (ORCPT ); Thu, 2 Jan 2020 17:17:08 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9FE27227BF; Thu, 2 Jan 2020 22:17:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003428; bh=231M9ZcOHkbunKVp1/YyJEDypQXx8MuXr0Vb+2TFM1k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e/okBfdPv0fRpo2xCJVLoJJuuvUgXuE9cWu9iJ2en6hRaaj1xKpOmafx1yvsvJhfL sPQcGQcSQLG15efmqs5/3GtzOoDhaNYbgz1sGl3X7UjndRBJAf6envLLHQD9zkAng0 E60LO4TBBx7Ul/b8al/KRVikNMhxJ75Nmp9d3i+4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Antonio Messina , "David S. Miller" Subject: [PATCH 5.4 157/191] udp: fix integer overflow while computing available space in sk_rcvbuf Date: Thu, 2 Jan 2020 23:07:19 +0100 Message-Id: <20200102215846.228365652@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102215829.911231638@linuxfoundation.org> References: <20200102215829.911231638@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antonio Messina [ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ] When the size of the receive buffer for a socket is close to 2^31 when computing if we have enough space in the buffer to copy a packet from the queue to the buffer we might hit an integer overflow. When an user set net.core.rmem_default to a value close to 2^31 UDP packets are dropped because of this overflow. This can be visible, for instance, with failure to resolve hostnames. This can be fixed by casting sk_rcvbuf (which is an int) to unsigned int, similarly to how it is done in TCP. Signed-off-by: Antonio Messina Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/udp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct so * queue contains some other skb */ rmem = atomic_add_return(size, &sk->sk_rmem_alloc); - if (rmem > (size + sk->sk_rcvbuf)) + if (rmem > (size + (unsigned int)sk->sk_rcvbuf)) goto uncharge_drop; spin_lock(&list->lock);