From: Antonio Messina <amessina@google.com>
Date: Thu, 19 Dec 2019 14:08:03 +0000 (+0100)
Subject: udp: fix integer overflow while computing available space in sk_rcvbuf
X-Git-Tag: v5.4.8~36
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ff4839120cbe24c2cbf4339b17771c7140e81720;p=thirdparty%2Fkernel%2Fstable.git

udp: fix integer overflow while computing available space in sk_rcvbuf

[ Upstream commit feed8a4fc9d46c3126fb9fcae0e9248270c6321a ]

When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.

When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.

This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.

Signed-off-by: Antonio Messina <amessina@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 447defbfccdd4..7aa4e77161f6a 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
 	 * queue contains some other skb
 	 */
 	rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
-	if (rmem > (size + sk->sk_rcvbuf))
+	if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
 		goto uncharge_drop;
 
 	spin_lock(&list->lock);