From: Alice Mikityanska <alice.kernel@fastmail.im>
To: Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Xin Long <lucien.xin@gmail.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
David Ahern <dsahern@kernel.org>,
Nikolay Aleksandrov <razor@blackwall.org>
Cc: Shuah Khan <shuah@kernel.org>,
Stanislav Fomichev <stfomichev@gmail.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Simon Horman <horms@kernel.org>, Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, Alice Mikityanska <alice@isovalent.com>
Subject: [PATCH net-next v2 08/12] udp: Validate UDP length in udp_gro_receive
Date: Thu, 26 Feb 2026 22:15:56 +0200 [thread overview]
Message-ID: <20260226201600.222044-9-alice.kernel@fastmail.im> (raw)
In-Reply-To: <20260226201600.222044-1-alice.kernel@fastmail.im>
From: Alice Mikityanska <alice@isovalent.com>
In the previous commit we started using uh->len = 0 as a marker of a GRO
packet bigger than 65536 bytes. To prevent abuse by maliciously crafted
packets, check the length in the UDP header in udp_gro_receive.
Note that a similar check was present in udp_gro_receive_segment, but
not in the UDP socket gro_receive flow. By adding an early check to
udp_gro_receive, the check in udp_gro_receive_segment can be dropped.
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
---
net/ipv4/udp_offload.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 780df257a8d9..5d9de8998867 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -706,12 +706,8 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
return NULL;
}
- /* Do not deal with padded or malicious packets, sorry ! */
ulen = udp_get_len_short(uh);
- if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) {
- NAPI_GRO_CB(skb)->flush = 1;
- return NULL;
- }
+
/* pull encapsulating udp header */
skb_gro_pull(skb, sizeof(struct udphdr));
@@ -781,8 +777,14 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb,
struct sk_buff *p;
struct udphdr *uh2;
unsigned int off = skb_gro_offset(skb);
+ unsigned int ulen;
int flush = 1;
+ /* Do not deal with padded or malicious packets, sorry! */
+ ulen = udp_get_len_short(uh);
+ if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb))
+ goto out;
+
/* We can do L4 aggregation only if the packet can't land in a tunnel
* otherwise we could corrupt the inner stream. Detecting such packets
* cannot be foolproof and the aggregation might still happen in some
--
2.52.0
next prev parent reply other threads:[~2026-02-26 20:17 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-26 20:15 [PATCH net-next v2 00/12] BIG TCP for UDP tunnels Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 01/12] net/sched: act_csum: don't mangle UDP tunnel GSO packets Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 02/12] udp: gso: Simplify handling length in GSO_PARTIAL Alice Mikityanska
2026-03-06 20:55 ` Willem de Bruijn
2026-03-06 22:19 ` Alice Mikityanska
2026-03-07 23:23 ` Willem de Bruijn
2026-03-07 23:34 ` Alice Mikityanska
2026-03-07 23:53 ` Willem de Bruijn
2026-02-26 20:15 ` [PATCH net-next v2 03/12] geneve: Fix off-by-one comparing with GRO_LEGACY_MAX_SIZE Alice Mikityanska
2026-02-26 20:20 ` Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 04/12] net: Use helpers to get/set UDP len tree-wide Alice Mikityanska
2026-02-26 20:19 ` Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 05/12] net: Enable BIG TCP with partial GSO Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 06/12] udp: Support gro_ipv4_max_size > 65536 Alice Mikityanska
2026-03-06 21:24 ` Willem de Bruijn
2026-03-06 21:31 ` Willem de Bruijn
2026-02-26 20:15 ` [PATCH net-next v2 07/12] udp: Support BIG TCP GSO packets where they can occur Alice Mikityanska
2026-02-26 20:15 ` Alice Mikityanska [this message]
2026-02-26 20:15 ` [PATCH net-next v2 09/12] udp: Set length in UDP header to 0 for big GSO packets Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 10/12] vxlan: Enable BIG TCP packets Alice Mikityanska
2026-02-26 20:15 ` [PATCH net-next v2 11/12] geneve: " Alice Mikityanska
2026-02-26 20:16 ` [PATCH net-next v2 12/12] selftests: net: Add a test for BIG TCP in UDP tunnels Alice Mikityanska
2026-02-27 1:30 ` Jakub Kicinski
2026-02-27 9:35 ` Alice Mikityanska
2026-02-27 18:17 ` [syzbot ci] Re: BIG TCP for " syzbot ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260226201600.222044-9-alice.kernel@fastmail.im \
--to=alice.kernel@fastmail.im \
--cc=alice@isovalent.com \
--cc=andrew+netdev@lunn.ch \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=shuah@kernel.org \
--cc=stfomichev@gmail.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox