From: Alice Mikityanska Currently, gro_max_size and gro_ipv4_max_size can be set to values bigger than 65536, and GRO will happily aggregate UDP to the configured size (for example, with TCP traffic in VXLAN tunnels). However, udp_gro_complete uses the 16-bit length field in the UDP header to store the length of the aggregated packet. It leads to the packet truncation later in udp_rcv. Fix this by storing 0 to the UDP length field and by restoring the real length from skb->len in udp_rcv. Additionally, restrict handling uh->len=0 in udpv6_rcv to BIG TCP and jumbograms only by using the udp_get_len helper. Signed-off-by: Alice Mikityanska Reviewed-by: Willem de Bruijn --- net/ipv4/udp.c | 4 ++-- net/ipv4/udp_offload.c | 4 ++-- net/ipv6/udp.c | 4 ++-- net/ipv6/udp_offload.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 240a1adab278..3713ae77606f 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2591,8 +2591,8 @@ int udp_rcv(struct sk_buff *skb) struct rtable *rt = skb_rtable(skb); struct net *net = dev_net(skb->dev); struct sock *sk = NULL; - unsigned short ulen; __be32 saddr, daddr; + unsigned int ulen; struct udphdr *uh; bool refcounted; int drop_reason; @@ -2606,7 +2606,7 @@ int udp_rcv(struct sk_buff *skb) goto drop; /* No space for header. */ uh = udp_hdr(skb); - ulen = ntohs(uh->len); + ulen = udp_get_len(skb, uh, 0); saddr = ip_hdr(skb)->saddr; daddr = ip_hdr(skb)->daddr; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 493e2b9e16fb..4f9a3922937c 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -919,7 +919,7 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff, struct sock *sk; int err; - udp_set_len_short(uh, newlen); + udp_set_len(uh, newlen); sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb, udp4_lib_lookup_skb, skb, uh->source, uh->dest); @@ -956,7 +956,7 @@ INDIRECT_CALLABLE_SCOPE int udp4_gro_complete(struct sk_buff *skb, int nhoff) /* do fraglist only if there is no outer UDP encap (or we already processed it) */ if (NAPI_GRO_CB(skb)->is_flist && !NAPI_GRO_CB(skb)->encap_mark) { - udp_set_len_short(uh, skb->len - nhoff); + udp_set_len(uh, skb->len - nhoff); skb_shinfo(skb)->gso_type |= (SKB_GSO_FRAGLIST|SKB_GSO_UDP_L4); skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count; diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 913a19edfc7c..e434d52cc049 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1081,12 +1081,12 @@ INDIRECT_CALLABLE_SCOPE int udpv6_rcv(struct sk_buff *skb) daddr = &ipv6_hdr(skb)->daddr; uh = udp_hdr(skb); - ulen = ntohs(uh->len); + ulen = udp_get_len(skb, uh, 0); if (ulen > skb->len) goto short_packet; /* Check for jumbo payload */ - if (ulen == 0) + if (ulen == 0 && inet6_is_jumbogram(skb)) ulen = skb->len; if (ulen < sizeof(*uh)) diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index c92cf5ee3e6a..7370bcb80332 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -171,7 +171,7 @@ int udp6_gro_complete(struct sk_buff *skb, int nhoff) /* do fraglist only if there is no outer UDP encap (or we already processed it) */ if (NAPI_GRO_CB(skb)->is_flist && !NAPI_GRO_CB(skb)->encap_mark) { - udp_set_len_short(uh, skb->len - nhoff); + udp_set_len(uh, skb->len - nhoff); skb_shinfo(skb)->gso_type |= (SKB_GSO_FRAGLIST|SKB_GSO_UDP_L4); skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count; -- 2.54.0