udp: fix GRO packet of death

[thirdparty/kernel/stable.git] / net / ipv4 / udp_offload.c

diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index d8776b2110c107ea322262d83532cb8c2759a9dc..065334b41d575aa0ba28de8487a6a5d018ec8804 100644 (file)
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -352,6 +352,7 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
        struct sk_buff *pp = NULL;
        struct udphdr *uh2;
        struct sk_buff *p;
+       unsigned int ulen;
 
        /* requires non zero csum, for symmetry with GSO */
        if (!uh->check) {
@@ -359,6 +360,12 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
                return NULL;
        }
 
+       /* Do not deal with padded or malicious packets, sorry ! */
+       ulen = ntohs(uh->len);
+       if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) {
+               NAPI_GRO_CB(skb)->flush = 1;
+               return NULL;
+       }
        /* pull encapsulating udp header */
        skb_gro_pull(skb, sizeof(struct udphdr));
        skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
@@ -377,12 +384,12 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
 
                /* Terminate the flow on len mismatch or if it grow "too much".
                 * Under small packet flood GRO count could elsewhere grow a lot
-                * leading to execessive truesize values.
+                * leading to excessive truesize values.
                 * On len mismatch merge the first packet shorter than gso_size,
                 * otherwise complete the GRO packet.
                 */
-               if (uh->len > uh2->len || skb_gro_receive(p, skb) ||
-                   uh->len != uh2->len ||
+               if (ulen > ntohs(uh2->len) || skb_gro_receive(p, skb) ||
+                   ulen != ntohs(uh2->len) ||
                    NAPI_GRO_CB(p)->count >= UDP_GRO_CNT_MAX)
                        pp = p;