From: Marc Kleine-Budde <mkl@pengutronix.de>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, linux-can@vger.kernel.org,
kernel@pengutronix.de, Marc Kleine-Budde <mkl@pengutronix.de>,
linux-stable <stable@vger.kernel.org>
Subject: [PATCH 15/20] can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
Date: Mon, 12 Nov 2018 12:57:23 +0100 [thread overview]
Message-ID: <20181112115728.18331-16-mkl@pengutronix.de> (raw)
In-Reply-To: <20181112115728.18331-1-mkl@pengutronix.de>
If the "struct can_priv::echo_skb" is accessed out of bounds would lead
to a kernel crash. Better print a sensible warning message instead and
try to recover.
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/dev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 46cc5fec4043..c05e4d50d43d 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -481,7 +481,11 @@ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8
{
struct can_priv *priv = netdev_priv(dev);
- BUG_ON(idx >= priv->echo_skb_max);
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+ __func__, idx, priv->echo_skb_max);
+ return NULL;
+ }
if (priv->echo_skb[idx]) {
/* Using "struct canfd_frame::len" for the frame
--
2.19.1
next prev parent reply other threads:[~2018-11-12 11:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-12 11:57 pull-request: can 2018-11-09 Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 01/20] can: raw: check for CAN FD capable netdev in raw_sendmsg() Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 02/20] can: kvaser_usb: Fix potential uninitialized variable use Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 03/20] can: kvaser_usb: Fix accessing freed memory in kvaser_usb_start_xmit() Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 04/20] can: ucan: remove set but not used variable 'udev' Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 05/20] can: ucan: remove duplicated include from ucan.c Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 06/20] dt-bindings: can: rcar_can: document r8a77965 support Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 07/20] can: rcar_can: Fix erroneous registration Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 08/20] dt-bindings: can: rcar_can: Add r8a774a1 support Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 09/20] can: hi311x: Use level-triggered interrupt Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 10/20] can: flexcan: Unlock the MB unconditionally Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 11/20] can: flexcan: Always use last mailbox for TX Marc Kleine-Budde
2019-01-11 10:56 ` Uwe Kleine-König
2019-01-11 10:58 ` [PATCH v4.19.x] can: flexcan: fix out-of-bounds array access Uwe Kleine-König
2019-01-11 11:20 ` [PATCH] can: flexcan: fix NULL pointer exception during bringup Uwe Kleine-König
2019-01-22 10:38 ` Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 12/20] can: flexcan: remove not needed struct flexcan_priv::tx_mb and struct flexcan_priv::tx_mb_idx Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 13/20] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 14/20] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Marc Kleine-Budde
2018-11-12 11:57 ` Marc Kleine-Budde [this message]
2018-11-12 11:57 ` [PATCH 16/20] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 17/20] can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 18/20] can: flexcan: handle tx-complete CAN frames via rx-offload infrastructure Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 19/20] can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail() Marc Kleine-Budde
2018-11-12 11:57 ` [PATCH 20/20] can: flexcan: use can_rx_offload_queue_sorted() for flexcan_irq_bus_*() Marc Kleine-Budde
2018-11-13 16:43 ` pull-request: can 2018-11-09 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181112115728.18331-16-mkl@pengutronix.de \
--to=mkl@pengutronix.de \
--cc=davem@davemloft.net \
--cc=kernel@pengutronix.de \
--cc=linux-can@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.