Commit feed8a4f authored by Antonio Messina's avatar Antonio Messina Committed by David S. Miller

udp: fix integer overflow while computing available space in sk_rcvbuf

When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.

When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.

This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.
Signed-off-by: default avatarAntonio Messina <amessina@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c6017471
...@@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) ...@@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
* queue contains some other skb * queue contains some other skb
*/ */
rmem = atomic_add_return(size, &sk->sk_rmem_alloc); rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
if (rmem > (size + sk->sk_rcvbuf)) if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
goto uncharge_drop; goto uncharge_drop;
spin_lock(&list->lock); spin_lock(&list->lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment