CVE-2021-47036

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: skip L4 aggregation for UDP tunnel packets<br /> <br /> If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there<br /> are UDP tunnels available in the system, udp_gro_receive() could end-up<br /> doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at<br /> the outer UDP tunnel level for packets effectively carrying and UDP<br /> tunnel header.<br /> <br /> That could cause inner protocol corruption. If e.g. the relevant<br /> packets carry a vxlan header, different vxlan ids will be ignored/<br /> aggregated to the same GSO packet. Inner headers will be ignored, too,<br /> so that e.g. TCP over vxlan push packets will be held in the GRO<br /> engine till the next flush, etc.<br /> <br /> Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the<br /> current packet could land in a UDP tunnel, and let udp_gro_receive()<br /> do GRO via udp_sk(sk)-&gt;gro_receive.<br /> <br /> The check implemented in this patch is broader than what is strictly<br /> needed, as the existing UDP tunnel could be e.g. configured on top of<br /> a different device: we could end-up skipping GRO at-all for some packets.<br /> <br /> Anyhow, that is a very thin corner case and covering it will add quite<br /> a bit of complexity.<br /> <br /> v1 -&gt; v2:<br /> - hopefully clarify the commit message