Re: [PATCH net-next v2 03/12] geneve: Fix off-by-one comparing with GRO_LEGACY_MAX_SIZE
From: Alice Mikityanska <hidden>
Date: 2026-02-26 20:20:34
On Thu, 26 Feb 2026 at 22:16, Alice Mikityanska [off-list ref] wrote:
quoted hunk ↗ jump to hunk
From: Alice Mikityanska <redacted> GRO_LEGACY_MAX_SIZE = 65536; total_len being 65536 is too big to fit into a u16. As can be seen in skb_gro_receive, packets bigger or equal to gro_max_size (or GRO_LEGACY_MAX_SIZE) are dropped with -E2BIG. Apply the same boundary to geneve_post_decap_hint to avoid writing 65536 to a 16-bit iph->tot_len field with an overflow. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Signed-off-by: Alice Mikityanska <redacted> --- drivers/net/geneve.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index 01cdd06102e0..7a26e2439d48 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c@@ -604,7 +604,7 @@ static int geneve_post_decap_hint(const struct sock *sk, struct sk_buff *skb, ipv6h = (void *)skb->data + gro_hint->nested_nh_offset; iph = (struct iphdr *)ipv6h; total_len = skb->len - gro_hint->nested_nh_offset; - if (total_len > GRO_LEGACY_MAX_SIZE) + if (total_len >= GRO_LEGACY_MAX_SIZE) return -E2BIG; /* --2.52.0
Paolo, when I was looking at the surrounding code, I got a question about your patch [1]. len = skb->len - gro_hint->nested_nh_offset; This len is calculated as pseudo header len for checksum purposes. The pseudo header len includes the UDP header and payload. Shouldn't it then subtract nested_tp_offset (the beginning of the UDP header)? I.e. have the same value of uh->len. I may be missing some context, but it caught my eye, and I wanted to double-check. [1]: https://lore.kernel.org/all/4a9a390588a429191e0ffe48ccdd288bb69e567e.1769011015.git.pabeni@redhat.com/ (local)