geneve: Fix off-by-one comparing with GRO_LEGACY_MAX_SIZE

GRO_LEGACY_MAX_SIZE = 65536; total_len being 65536 is too big to fit
into a u16. As can be seen in skb_gro_receive, packets bigger or equal
to gro_max_size (or GRO_LEGACY_MAX_SIZE) are dropped with -E2BIG. Apply
the same boundary to geneve_post_decap_hint to avoid writing 65536 to a
16-bit iph->tot_len field with an overflow.

Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path")
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260611192955.604661-3-alice.kernel@fastmail.im
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 23b42466a7c9dddf268000f04bc4a1fa62bfdce2..9afff7bcaa0b3065d5cf8abc2407ddfceeb21b2b 100644 (file)
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -604,7 +604,7 @@ static int geneve_post_decap_hint(const struct sock *sk, struct sk_buff *skb,
        ipv6h = (void *)skb->data + gro_hint->nested_nh_offset;
        iph = (struct iphdr *)ipv6h;
        total_len = skb->len - gro_hint->nested_nh_offset;
-       if (total_len > GRO_LEGACY_MAX_SIZE)
+       if (total_len >= GRO_LEGACY_MAX_SIZE)
                return -E2BIG;
 
        /*