From: Alice Mikityanska In the previous commit we started using uh->len = 0 as a marker of a GRO packet bigger than 65536 bytes. To prevent abuse by maliciously crafted packets, check the length in the UDP header in udp_gro_receive. Note that a similar check was present in udp_gro_receive_segment, but not in the UDP socket gro_receive flow. By adding an early check to udp_gro_receive, the check in udp_gro_receive_segment can be dropped. Signed-off-by: Alice Mikityanska --- net/ipv4/udp_offload.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 780df257a8d9..5d9de8998867 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -706,12 +706,8 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head, return NULL; } - /* Do not deal with padded or malicious packets, sorry ! */ ulen = udp_get_len_short(uh); - if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) { - NAPI_GRO_CB(skb)->flush = 1; - return NULL; - } + /* pull encapsulating udp header */ skb_gro_pull(skb, sizeof(struct udphdr)); @@ -781,8 +777,14 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb, struct sk_buff *p; struct udphdr *uh2; unsigned int off = skb_gro_offset(skb); + unsigned int ulen; int flush = 1; + /* Do not deal with padded or malicious packets, sorry! */ + ulen = udp_get_len_short(uh); + if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) + goto out; + /* We can do L4 aggregation only if the packet can't land in a tunnel * otherwise we could corrupt the inner stream. Detecting such packets * cannot be foolproof and the aggregation might still happen in some -- 2.52.0