lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5b8ed8b5-2805-4cfb-8c9c-2a8fa4ca8fb2@redhat.com>
Date: Thu, 25 Sep 2025 16:15:42 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Maxim Mikityanskiy <maxtram95@...il.com>,
 Daniel Borkmann <daniel@...earbox.net>, "David S. Miller"
 <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>,
 Willem de Bruijn <willemdebruijn.kernel@...il.com>,
 David Ahern <dsahern@...nel.org>, Nikolay Aleksandrov <razor@...ckwall.org>
Cc: netdev@...r.kernel.org, tcpdump-workers@...ts.tcpdump.org,
 Guy Harris <gharris@...ic.net>, Michael Richardson <mcr@...delman.ca>,
 Denis Ovsienko <denis@...ienko.info>, Xin Long <lucien.xin@...il.com>,
 Maxim Mikityanskiy <maxim@...valent.com>
Subject: Re: [PATCH net-next 13/17] udp: Support gro_ipv4_max_size > 65536

On 9/23/25 3:47 PM, Maxim Mikityanskiy wrote:
> From: Maxim Mikityanskiy <maxim@...valent.com>
> 
> From: Maxim Mikityanskiy <maxim@...valent.com>
> 
> Currently, gro_max_size and gro_ipv4_max_size can be set to values
> bigger than 65536, and GRO will happily aggregate UDP to the configured
> size (for example, with TCP traffic in VXLAN tunnels). However,
> udp_gro_complete uses the 16-bit length field in the UDP header to store
> the length of the aggregated packet. It leads to the packet truncation
> later in __udp4_lib_rcv.
> 
> Fix this by storing 0 to the UDP length field and by restoring the real
> length from skb->len in __udp4_lib_rcv.
> 
> Signed-off-by: Maxim Mikityanskiy <maxim@...valent.com>

If I read correctly, after this patch plain UDP GRO can start
aggregating packets up to a total len above 64K.

Potentially every point in the RX/TX path can unexpectedly process UDP
GSO packets with uh->len == 0 and skb->len > 64K which sounds
potentially dangerous. How about adding an helper to access the UDP len,
and use it everywhere tree wide (except possibly H/W NIC rx path)?

You could pin-point all the relevant location changing in a local build
of your the udphdr len field and looking for allmod build breakge.

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ