From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from fhigh-a1-smtp.messagingengine.com (fhigh-a1-smtp.messagingengine.com [103.168.172.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90B433D9DB8 for ; Fri, 10 Apr 2026 15:10:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.152 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775833827; cv=none; b=Hk0omNUV91Hvccb7FMOySSfEnUd3UrN/XO/e6do5Jpu77pFkRzrDBrAM7YfR7uGhUDhjyALluIiQijx86zLh6f/pxeAJHB6pQMfPmP0tXIctZy0NkotGYQtFX28WsqL2NRh8kZ2o898P4sOQ2wjP/fv3FDHIUUzHhzjxUxpgPnY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775833827; c=relaxed/simple; bh=LS15Xu4zsM2P2cbnJH9QXzxKg+QCuDTxe5Jn5c55cq4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e36tauAHpEhmu7qspoH4JDW1omVeT83TglazOvr6+MAHS5qAy8i3s9edodzeH0qxgX9rnsjvxN5XM9h4Fnr1/23jFPPfa6ckQqQeoPt3xXH2vVtq3tD0y+bLwQOOnKxQ1z4imkS0AdXu58WIJQrDDyFSSOkaQLaRU6uXIl+7dyI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im; spf=pass smtp.mailfrom=fastmail.im; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b=QRnIadx+; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=SdtdeTkT; arc=none smtp.client-ip=103.168.172.152 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fastmail.im Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b="QRnIadx+"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="SdtdeTkT" Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfhigh.phl.internal (Postfix) with ESMTP id E67041400265; Fri, 10 Apr 2026 11:10:25 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Fri, 10 Apr 2026 11:10:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.im; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1775833825; x= 1775920225; bh=5S8qt1e78cR8wCsoHJgfBEraa//yXwr+TQS7xLGFo00=; b=Q RnIadx+zFeOVbuh2SSi/h0iS7LPomalSk32y4Rz5aSGk8P7J2515GieFN9ue5/OM yCHVR3f9je5ThgB2BkHvMfshsJC4NWjEaoCtOlQo4QjYwAMFKWh/N2CCkhO3SDXl V12V51TlvkEY++7C0uF59OYz2eQczi6Lpr3ckoxsC2YlEGY7s5VmlK18JAapq8IE WDannqO2Rvo6lVMCZ55mfOKPCemUhuTNC/Di8bN5G0Nbyy/0+v35GNJJLKysZtIQ tAfoMmORRx6I5YnYEy+39Z+SjI0ctCFP1DWxNmktKutvdovzMry0IuWdmjcDr4/X 1vYa9XFbz3Vsyhv0jss7A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1775833825; x=1775920225; bh=5 S8qt1e78cR8wCsoHJgfBEraa//yXwr+TQS7xLGFo00=; b=SdtdeTkTwq9bKD2DH 0aWta4wNK9UKKAIsilFXnBb5fwuAoQeiUEobaN3La8sM2oSqh/vzksjCbqp76dyE nd4IxFcn8mV9bT0ZFgZBZIAlGG9T7wVYy7Lypbqt0MfiS50LHUsnSbe4/FDgLiWe cPOi0mZwpvBzs+gSSZvEU7ylWFnUBZF6S6ftYUNEXHNAcub32kVAXA13RX62KCqw SbCdg57SIlFkMsq/zxnV5MzH/6oHaqIkOE9Lo49yxNBAftoYeIEj70Kz/4uPN7ag 6p46Na7ps/W6VvT25b725T4NtfoUg1vDtaNeyrBXd4JjmBsoYEXN3vTRE7LpF3Ie 7iItA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddvleejfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeetlhhitggvucfo ihhkihhthigrnhhskhgruceorghlihgtvgdrkhgvrhhnvghlsehfrghsthhmrghilhdrih hmqeenucggtffrrghtthgvrhhnpeetffeljeefvdfhheeijeelgfekleejveeugeegveet hffguefhudffgeekvddttdenucevlhhushhtvghrufhiiigvpedunecurfgrrhgrmhepmh grihhlfhhrohhmpegrlhhitggvrdhkvghrnhgvlhesfhgrshhtmhgrihhlrdhimhdpnhgs pghrtghpthhtohepudeipdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegurghnih gvlhesihhoghgvrghrsghogidrnhgvthdprhgtphhtthhopegurghvvghmsegurghvvghm lhhofhhtrdhnvghtpdhrtghpthhtohepvgguuhhmrgiivghtsehgohhoghhlvgdrtghomh dprhgtphhtthhopehkuhgsrgeskhgvrhhnvghlrdhorhhgpdhrtghpthhtohepphgrsggv nhhisehrvgguhhgrthdrtghomhdprhgtphhtthhopehluhgtihgvnhdrgihinhesghhmrg hilhdrtghomhdprhgtphhtthhopeifihhllhgvmhguvggsrhhuihhjnhdrkhgvrhhnvghl sehgmhgrihhlrdgtohhmpdhrtghpthhtohepughsrghhvghrnheskhgvrhhnvghlrdhorh hgpdhrtghpthhtoheprhgriihorhessghlrggtkhifrghllhdrohhrgh X-ME-Proxy: Feedback-ID: i559e4809:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 10 Apr 2026 11:10:25 -0400 (EDT) From: Alice Mikityanska To: Daniel Borkmann , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Xin Long , Willem de Bruijn , David Ahern , Nikolay Aleksandrov Cc: Shuah Khan , Stanislav Fomichev , Andrew Lunn , Simon Horman , Florian Westphal , netdev@vger.kernel.org, Alice Mikityanska Subject: [PATCH net-next v3 08/12] udp: Validate UDP length in udp_gro_receive Date: Fri, 10 Apr 2026 18:09:39 +0300 Message-ID: <20260410150943.993350-9-alice.kernel@fastmail.im> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260410150943.993350-1-alice.kernel@fastmail.im> References: <20260410150943.993350-1-alice.kernel@fastmail.im> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Alice Mikityanska In the previous commit we started using uh->len = 0 as a marker of a GRO packet bigger than 65536 bytes. To prevent abuse by maliciously crafted packets, check the length in the UDP header in udp_gro_receive. Note that a similar check was present in udp_gro_receive_segment, but not in the UDP socket gro_receive flow. By adding an early check to udp_gro_receive, the check in udp_gro_receive_segment can be dropped. Signed-off-by: Alice Mikityanska --- net/ipv4/udp_offload.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 23653872ca65..4bb37c8d234f 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -704,12 +704,8 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head, return NULL; } - /* Do not deal with padded or malicious packets, sorry ! */ ulen = udp_get_len_short(uh); - if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) { - NAPI_GRO_CB(skb)->flush = 1; - return NULL; - } + /* pull encapsulating udp header */ skb_gro_pull(skb, sizeof(struct udphdr)); @@ -779,8 +775,14 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb, struct sk_buff *p; struct udphdr *uh2; unsigned int off = skb_gro_offset(skb); + unsigned int ulen; int flush = 1; + /* Do not deal with padded or malicious packets, sorry! */ + ulen = udp_get_len_short(uh); + if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) + goto out; + /* We can do L4 aggregation only if the packet can't land in a tunnel * otherwise we could corrupt the inner stream. Detecting such packets * cannot be foolproof and the aggregation might still happen in some -- 2.53.0