From: Alice Mikityanska Currently, gro_max_size and gro_ipv4_max_size can be set to values bigger than 65536, and GRO will happily aggregate UDP to the configured size (for example, with TCP traffic in VXLAN tunnels). However, udp_gro_complete uses the 16-bit length field in the UDP header to store the length of the aggregated packet. It leads to the packet truncation later in __udp4_lib_rcv. Fix this by storing 0 to the UDP length field and by restoring the real length from skb->len in __udp4_lib_rcv. Signed-off-by: Alice Mikityanska Reviewed-by: Willem de Bruijn --- net/ipv4/udp.c | 5 ++++- net/ipv4/udp_offload.c | 4 ++-- net/ipv6/udp_offload.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 3e92575f1d55..856c23b9d6dd 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2583,8 +2583,8 @@ int udp_rcv(struct sk_buff *skb) struct rtable *rt = skb_rtable(skb); struct net *net = dev_net(skb->dev); struct sock *sk = NULL; - unsigned short ulen; __be32 saddr, daddr; + unsigned int ulen; struct udphdr *uh; bool refcounted; int drop_reason; @@ -2605,6 +2605,9 @@ int udp_rcv(struct sk_buff *skb) if (ulen > skb->len) goto short_packet; + if (!ulen) + ulen = skb->len; + if (ulen < sizeof(*uh)) goto short_packet; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 22acc80b12a4..23653872ca65 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -916,7 +916,7 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff, struct sock *sk; int err; - udp_set_len_short(uh, newlen); + udp_set_len(uh, newlen); sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb, udp4_lib_lookup_skb, skb, uh->source, uh->dest); @@ -953,7 +953,7 @@ INDIRECT_CALLABLE_SCOPE int udp4_gro_complete(struct sk_buff *skb, int nhoff) /* do fraglist only if there is no outer UDP encap (or we already processed it) */ if (NAPI_GRO_CB(skb)->is_flist && !NAPI_GRO_CB(skb)->encap_mark) { - udp_set_len_short(uh, skb->len - nhoff); + udp_set_len(uh, skb->len - nhoff); skb_shinfo(skb)->gso_type |= (SKB_GSO_FRAGLIST|SKB_GSO_UDP_L4); skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count; diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index c92cf5ee3e6a..7370bcb80332 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -171,7 +171,7 @@ int udp6_gro_complete(struct sk_buff *skb, int nhoff) /* do fraglist only if there is no outer UDP encap (or we already processed it) */ if (NAPI_GRO_CB(skb)->is_flist && !NAPI_GRO_CB(skb)->encap_mark) { - udp_set_len_short(uh, skb->len - nhoff); + udp_set_len(uh, skb->len - nhoff); skb_shinfo(skb)->gso_type |= (SKB_GSO_FRAGLIST|SKB_GSO_UDP_L4); skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count; -- 2.54.0