From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com [202.12.124.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B1EB3AF66D for ; Tue, 26 May 2026 16:13:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.12.124.154 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779812010; cv=none; b=YzfYleXgpcyEVYn0IjJzb0eaW8S5XS4XUcXx/lHba4SS8grUbZC7SMnxfgZmi4NOG/0BzMX75Uu5AUKapCH4raDmbb0YP6Vgb+0O4hUShaooV7VITNm8zRi/VLQbgvUEIjq7VgzJs0mgL3cvLXvr1eb8yiSX75NKdcCfe31LRfg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779812010; c=relaxed/simple; bh=c1uI3/hJh4++FyVIgYxPClG1QwzJQ/KCKW2GXPfYBxU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=peBaaCmt0/iZppopwMhf+6yn8ji9NzjnRi1RHyD9T8hWTnJXKgfUzW3eSLISyySMsN4tWDEm69E/XYJK1r/sFWDS9MxE0ulr7VG/+3aQ/yF4+XWld3/Y6xAbjpql55VjP7QzvFQbXmhGOdZz/wvmKrUBbWM0j9Om6YyZlgcLTnk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im; spf=pass smtp.mailfrom=fastmail.im; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b=hx6g9JPI; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=XIi6dPOT; arc=none smtp.client-ip=202.12.124.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=fastmail.im Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fastmail.im Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fastmail.im header.i=@fastmail.im header.b="hx6g9JPI"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="XIi6dPOT" Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.stl.internal (Postfix) with ESMTP id 2699A7A00B0; Tue, 26 May 2026 12:13:28 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Tue, 26 May 2026 12:13:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.im; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1779812008; x= 1779898408; bh=2rF5Na5rgiBkDiR351mPeaPE+SomprcW8q+BWbNvlX8=; b=h x6g9JPINEbX6ccKNnPh+M1fpU+0QAeJtjc/V21GGNXlZeKYNHFm+NKXVq+DMov4I ZoKCkMoZCz/3+U52FMQWbmXNiOc1PFy8IhwPi5aO9V4JJNLt4Zz7JGin+Uv3x0Nu 9EwlBEN20OdS6RX3BdRXSdQmmS5HtSveqPsmxWjF3Hsh97JvKpafE2e6g5nGYo/s XDEcI7Ky7/eit34DHTsIFBH1kWFenydG3QGHpKIES4iloWgDtOHR6KmTXdMiQ+yy jZqjGTbkyH7dAVxGWzWHu+Pe579PJ0pPec1q8ez36R7zx8NqRHiLOJOzWc/JSj7B +/QohnJWLoloka22msQ2w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1779812008; x=1779898408; bh=2 rF5Na5rgiBkDiR351mPeaPE+SomprcW8q+BWbNvlX8=; b=XIi6dPOTfvCCHt3iP zCG/cyMaGPDMVONhhlXGoEYeU+yBxVq5uUTLmNjgoUea6Hnd+EQZTPqN59/nzFs0 s2ziGPkk7fyRGdLqfdHWTeYpInBj47mkbyXE3Azsbye5flQSoWRL/g/uIs+1RNkP SVpCbgcEOle2FEeJ0xd18aWmZga0TVSKhUwrMZGm/QEbQJCcNkpkWlFYWf+t834F Fl8ks35yXev4KO/UMFYR/z3VTtuq/FQ4SJSC4dsK5vJPyzxvPCYQde3GtvCRcfYH OMOZhWqffNNcFbUwnvLbyG8OTATR2Cx3xHxB94iEpfEhn3sBqbt5Kh36Pv3pesnT IGnLQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTFnubMirKk9b4RGiHINJSMkuDl5fdQMcSQrbjTnrEtnGRMO7NVlHgNvLrqEHtJaN8 zpme+woGZxyKdNU3k7TnRxVQwEyBx89uwS84rOHfufneeMmb8fdcUI2cZ94NrKEcO2l1Ev HGrlmYmgeo6wr1A/KvJn0aSPKAaKFYZM+3+ZUS7Tu2EvZqdW3lsl0cdGaP4XgQhsThVuL4 KbDr7a72qraJQV2+AdF/NUhvZF/7S5BtzFYI4JH/Pa4gofZUZmcBbcRdxJ0P7hUg8tJ5CV 07j4MHl4GAr08BQR6utb+RZkIK0dSIaHfOIubO27bhpgov0tN2bww3ysIkLzfrH9GzbeoK bd+ctBGO1XDgUC4DpzmuyHYyn8AOrJiuyc26CUOLB+NxtXlaGRCXF2UV1bDU0vY4PUPyDG +7daqmGrIENX9ARg3/c0AtLfq9Vhr2QwPydlLM0U7SSNAO197NFd66joWrpAoEQFURmbqJ ybrBDPEzW6TQVVEXYH6KCeGoKZexnE+oU/cKTzVq8Y39K+55EKphLuDTcsOtJkdELeN1Ji Ku6jTgXylUZXxKjjic0jXmluha/DUQIVW82E1H4JT2NaySBiZNsdoYTfDLafyf9jS9E2LU dzXp3m6tV+Yzy+OIMjaNiAIKKvKkluJ4xtkeRgffYBYkJ5XD4r5gscKDrjqw X-ME-Proxy: Feedback-ID: i559e4809:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 26 May 2026 12:13:27 -0400 (EDT) From: Alice Mikityanska To: Daniel Borkmann , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Xin Long , Willem de Bruijn , Willem de Bruijn , David Ahern , Nikolay Aleksandrov Cc: Shuah Khan , Stanislav Fomichev , Andrew Lunn , Simon Horman , Florian Westphal , netdev@vger.kernel.org, Alice Mikityanska Subject: [PATCH net-next v5 07/11] udp: Validate UDP length in udp_gro_receive Date: Tue, 26 May 2026 18:11:56 +0200 Message-ID: <20260526161200.1135899-8-alice.kernel@fastmail.im> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260526161200.1135899-1-alice.kernel@fastmail.im> References: <20260526161200.1135899-1-alice.kernel@fastmail.im> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Alice Mikityanska In the previous commit we started using uh->len = 0 as a marker of a GRO packet bigger than 65536 bytes. To prevent abuse by maliciously crafted packets, check the length in the UDP header in udp_gro_receive. Note that a similar check was present in udp_gro_receive_segment, but not in the UDP socket gro_receive flow. By adding an early check to udp_gro_receive, the check in udp_gro_receive_segment can be dropped. Signed-off-by: Alice Mikityanska Reviewed-by: Willem de Bruijn --- net/ipv4/udp_offload.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index f7da760f046f..d5d1dc8d0bb9 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -707,12 +707,8 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head, return NULL; } - /* Do not deal with padded or malicious packets, sorry ! */ ulen = udp_get_len_short(uh); - if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) { - NAPI_GRO_CB(skb)->flush = 1; - return NULL; - } + /* pull encapsulating udp header */ skb_gro_pull(skb, sizeof(struct udphdr)); @@ -782,8 +778,14 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb, struct sk_buff *p; struct udphdr *uh2; unsigned int off = skb_gro_offset(skb); + unsigned int ulen; int flush = 1; + /* Do not deal with padded or malicious packets, sorry! */ + ulen = udp_get_len_short(uh); + if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) + goto out; + /* We can do L4 aggregation only if the packet can't land in a tunnel * otherwise we could corrupt the inner stream. Detecting such packets * cannot be foolproof and the aggregation might still happen in some -- 2.54.0