[PATCH] udp: fix integer overflow while computing available space in sk_rcvbuf

[PATCH] udp: fix integer overflow while computing available space in sk_rcvbuf

[Antonio Messina]

When the size of the receive buffer for a socket is close to 2^31 when
computing if we have enough space in the buffer to copy a packet from
the queue to the buffer we might hit an integer overflow.

When an user set net.core.rmem_default to a value close to 2^31 UDP
packets are dropped because of this overflow. This can be visible, for
instance, with failure to resolve hostnames.

This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
int, similarly to how it is done in TCP.

Signed-off-by: Antonio Messina <amessina@google.com>
---
 net/ipv4/udp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 4da5758cc718..93a355b6b092 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1475,7 +1475,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
 	 * queue contains some other skb
 	 */
 	rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
-	if (rmem > (size + sk->sk_rcvbuf))
+	if (rmem > (size + (unsigned int)sk->sk_rcvbuf))
 		goto uncharge_drop;
 
 	spin_lock(&list->lock);
-- 
2.24.1.735.g03f4e72817-goog

Re: [PATCH] udp: fix integer overflow while computing available space in sk_rcvbuf

[David Miller]

From: Antonio Messina <amessina@google.com>
Date: Thu, 19 Dec 2019 15:08:03 +0100

> When the size of the receive buffer for a socket is close to 2^31 when
> computing if we have enough space in the buffer to copy a packet from
> the queue to the buffer we might hit an integer overflow.
> 
> When an user set net.core.rmem_default to a value close to 2^31 UDP
> packets are dropped because of this overflow. This can be visible, for
> instance, with failure to resolve hostnames.
> 
> This can be fixed by casting sk_rcvbuf (which is an int) to unsigned
> int, similarly to how it is done in TCP.
> 
> Signed-off-by: Antonio Messina <amessina@google.com>

Applied and queued up for -stable, thanks.

Re: [PATCH] udp: fix integer overflow while computing available space in sk_rcvbuf

[kaz1020]

Antonio Messina at Google,
Linux Kernel maintainers,

I read the following fraud Google Blog.
https://cloud.google.com/blog/topics/inside-google-cloud/google-cloud-support-engineer-solves-a-tough-dns-case

I require Antonio Messina the fulfillment of obligations.
Antonio Messina accepted the following requests on June 27, 2020.

I requested Antonio Messina to correct his mistakes.
- Rewrite the article on fraud Google Blog
- Send the new patch I proposed

Past, I explained the following result to Antonio Messina and Google.

Abstract:
The “size" variable of the following line will be removed.
Line: https://github.com/torvalds/linux/blob/v5.4/net/ipv4/udp.c#L1478

Because comparing "to be allocated buffer size" and "Max buffer size" + "size."
Antonio Messina's mistake: if (rmem > (unsigned int)(size + sk->sk_rcvbuf))
The fix I propose: if (rmem > sk->sk_rcvbuf)
 
Details:
In the function __udp_enqueue_schedule_skb.
- rmem: Same as sk->sk_rmem_alloc.
  -- It means allocated or to be allocated buffer size.
- sk->sk_rcvbuf: Max buffer size(purpose to limit the buffer size).
- size: Same as skb->truesize.
  -- It means a packet size.

The original problem is committed by: 
https://github.com/torvalds/linux/commit/363dc73acacbbcdae98acf5612303e9770e04b1d
In addition, the condition sentence has been corrupted before this commit.

Antonio Messina sent a poor patch: 
https://lkml.org/lkml/2019/12/19/482

-- 
Fix it,
kaz1020