From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2631544A739 for ; Thu, 26 Feb 2026 20:17:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.12.124.158 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772137023; cv=none; b=tWzThYYKCRSXjT5WxeU+BFZ6289WpHSIUF0UCVlsmq9k8AcXyXrnY2ps9wIZ8ihUDGwLghE/Vw57lgBDjQHm+RhOJvWkHbCf5hBxFLbOT2YzGmWiyQep7PqMVeb3JVAFUcrG7YvJ9b9VEqRCigk8B0VW4sUT1NMts1DNTI54ffo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772137023; c=relaxed/simple; bh=vfPTgeSa0kf/+W1qqiDgXX/4FM4SUHMkBaIC+VmGcv4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HSZgz1xQYPMJTdmDMKODg+0xRSPJEQkrhCvIUOOf2xQLyQIZk5D6Ez/qfBRITFvSSYKz03Prjaax3U2ETSDHkKzC3IO4ezwxjl6l4zZTlBq/xV5RuL2n1ysG/YuK+CW+Xd4yMV+d8GHmXKW9rvsWVtAAoffF4sh/rcLnia31B0M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im; spf=pass smtp.mailfrom=fastmail.im; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b=h3CfDsJ6; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=M9PdBx46; arc=none smtp.client-ip=202.12.124.158 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fastmail.im Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b="h3CfDsJ6"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="M9PdBx46" Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id 374F57A013F; Thu, 26 Feb 2026 15:17:01 -0500 (EST) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Thu, 26 Feb 2026 15:17:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.im; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1772137021; x= 1772223421; bh=Ctr1AZADpP7yYAZ6xgrVN26SphNQyQeXfrv1YlHOcJw=; b=h 3CfDsJ6GxoAokwpc55YV8D9BO5bbC5VTYvSO34K1dmykuXTi7hQ3jd0j8yBZF9oq bvvzMsdBPjTOXLM6JefeJgK8jZV7kBkqjHeQ0bHvoBidLhq6CgcIdrP6i/CGFakz Lb44vFbduk6PvuRBEtfEkhb7YRJxRlETsG2RFklrsOGyN1slGbedbFmY5CFMcQdl t3bUQog0MjLy3a76FYe1gezlWtrJRRKp4tYHq25i7OnDNs0xtPSAkMptj3rWklnS t6nXSxnFvViVui1P6zx5h8IBx0f2QT3MZPuEEhib80tldEB/FD+J5yhRXmhtYHoe sp3FPZQskGVglYI460DKQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1772137021; x=1772223421; bh=C tr1AZADpP7yYAZ6xgrVN26SphNQyQeXfrv1YlHOcJw=; b=M9PdBx46UA+8vOUE6 RQzo4LmBcOn3hz++qJTWdPwqR9yBxMbLfTdxdDj+KlIrQgnOcuwrst4yzrYqJjjh OJeyW3U+kzgwehW+SqEAXztTAhxi6PEF6wiIINop/jE3vsw1YLaZcO2r0aB1xj0d 51+u1f/vmvRdlAEgjOs2aRc8+X0Ry3c5mDk4L4gu6hujFcaxOYiZcm/HLPadyMqK el1DPJOLdaJZh5Q60vGAwQb5LRHX2zNyAcL4hAnlyi9rjZh4HFDuwRN8QXG9m/71 ZD8cP8VnPkI9AM00XODrF+JDGzLO8yhIKtFfhK+DqcaDmK7Z7VNICtLfWwOu7zeq ksPEw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvgeejtddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomheptehlihgtvgcu ofhikhhithihrghnshhkrgcuoegrlhhitggvrdhkvghrnhgvlhesfhgrshhtmhgrihhlrd himheqnecuggftrfgrthhtvghrnhepteffleejfedvhfehieejlefgkeeljeevueeggeev tefhgfeuhfduffegkedvtddtnecuvehluhhsthgvrhfuihiivgepvdenucfrrghrrghmpe hmrghilhhfrhhomheprghlihgtvgdrkhgvrhhnvghlsehfrghsthhmrghilhdrihhmpdhn sggprhgtphhtthhopeduiedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggrnh hivghlsehiohhgvggrrhgsohigrdhnvghtpdhrtghpthhtohepuggrvhgvmhesuggrvhgv mhhlohhfthdrnhgvthdprhgtphhtthhopegvughumhgriigvthesghhoohhglhgvrdgtoh hmpdhrtghpthhtohepkhhusggrsehkvghrnhgvlhdrohhrghdprhgtphhtthhopehprggs vghnihesrhgvughhrghtrdgtohhmpdhrtghpthhtoheplhhutghivghnrdigihhnsehgmh grihhlrdgtohhmpdhrtghpthhtohepfihilhhlvghmuggvsghruhhijhhnrdhkvghrnhgv lhesghhmrghilhdrtghomhdprhgtphhtthhopegushgrhhgvrhhnsehkvghrnhgvlhdroh hrghdprhgtphhtthhopehrrgiiohhrsegslhgrtghkfigrlhhlrdhorhhg X-ME-Proxy: Feedback-ID: i559e4809:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 26 Feb 2026 15:17:00 -0500 (EST) From: Alice Mikityanska To: Daniel Borkmann , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Xin Long , Willem de Bruijn , David Ahern , Nikolay Aleksandrov Cc: Shuah Khan , Stanislav Fomichev , Andrew Lunn , Simon Horman , Florian Westphal , netdev@vger.kernel.org, Alice Mikityanska Subject: [PATCH net-next v2 08/12] udp: Validate UDP length in udp_gro_receive Date: Thu, 26 Feb 2026 22:15:56 +0200 Message-ID: <20260226201600.222044-9-alice.kernel@fastmail.im> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226201600.222044-1-alice.kernel@fastmail.im> References: <20260226201600.222044-1-alice.kernel@fastmail.im> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Alice Mikityanska In the previous commit we started using uh->len = 0 as a marker of a GRO packet bigger than 65536 bytes. To prevent abuse by maliciously crafted packets, check the length in the UDP header in udp_gro_receive. Note that a similar check was present in udp_gro_receive_segment, but not in the UDP socket gro_receive flow. By adding an early check to udp_gro_receive, the check in udp_gro_receive_segment can be dropped. Signed-off-by: Alice Mikityanska --- net/ipv4/udp_offload.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 780df257a8d9..5d9de8998867 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -706,12 +706,8 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head, return NULL; } - /* Do not deal with padded or malicious packets, sorry ! */ ulen = udp_get_len_short(uh); - if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) { - NAPI_GRO_CB(skb)->flush = 1; - return NULL; - } + /* pull encapsulating udp header */ skb_gro_pull(skb, sizeof(struct udphdr)); @@ -781,8 +777,14 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb, struct sk_buff *p; struct udphdr *uh2; unsigned int off = skb_gro_offset(skb); + unsigned int ulen; int flush = 1; + /* Do not deal with padded or malicious packets, sorry! */ + ulen = udp_get_len_short(uh); + if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) + goto out; + /* We can do L4 aggregation only if the packet can't land in a tunnel * otherwise we could corrupt the inner stream. Detecting such packets * cannot be foolproof and the aggregation might still happen in some -- 2.52.0