From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Zhang Changzhong <zhangchangzhong@huawei.com>,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH 5.10 42/95] can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
Date: Mon, 25 Oct 2021 21:14:39 +0200 [thread overview]
Message-ID: <20211025191002.844934664@linuxfoundation.org> (raw)
In-Reply-To: <20211025190956.374447057@linuxfoundation.org>
From: Zhang Changzhong <zhangchangzhong@huawei.com>
commit a4fbe70c5cb746441d56b28cf88161d9e0e25378 upstream.
The receiver should abort TP if 'total message size' in TP.CM_RTS and
TP.CM_BAM is less than 9 or greater than 1785 [1], but currently the
j1939 stack only checks the upper bound and the receiver will accept
the following broadcast message:
vcan1 18ECFF00 [8] 20 08 00 02 FF 00 23 01
vcan1 18EBFF00 [8] 01 00 00 00 00 00 00 00
vcan1 18EBFF00 [8] 02 00 FF FF FF FF FF FF
This patch adds check for the lower bound and abort illegal TP.
[1] SAE-J1939-82 A.3.4 Row 2 and A.3.6 Row 6.
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/1634203601-3460-1-git-send-email-zhangchangzhong@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/j1939-priv.h | 1 +
net/can/j1939/transport.c | 2 ++
2 files changed, 3 insertions(+)
--- a/net/can/j1939/j1939-priv.h
+++ b/net/can/j1939/j1939-priv.h
@@ -326,6 +326,7 @@ int j1939_session_activate(struct j1939_
void j1939_tp_schedule_txtimer(struct j1939_session *session, int msec);
void j1939_session_timers_cancel(struct j1939_session *session);
+#define J1939_MIN_TP_PACKET_SIZE 9
#define J1939_MAX_TP_PACKET_SIZE (7 * 0xff)
#define J1939_MAX_ETP_PACKET_SIZE (7 * 0x00ffffff)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1596,6 +1596,8 @@ j1939_session *j1939_xtp_rx_rts_session_
abort = J1939_XTP_ABORT_FAULT;
else if (len > priv->tp_max_packet_size)
abort = J1939_XTP_ABORT_RESOURCE;
+ else if (len < J1939_MIN_TP_PACKET_SIZE)
+ abort = J1939_XTP_ABORT_FAULT;
}
if (abort != J1939_XTP_NO_ABORT) {
next prev parent reply other threads:[~2021-10-25 19:39 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 19:13 [PATCH 5.10 00/95] 5.10.76-rc1 review Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 01/95] parisc: math-emu: Fix fall-through warnings Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 02/95] xhci: add quirk for host controllers that dont update endpoint DCS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 03/95] io_uring: fix splice_fd_in checks backport typo Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 04/95] arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 05/95] ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 06/95] block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 07/95] xen/x86: prevent PVH type from getting clobbered Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 08/95] drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 09/95] xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 10/95] xtensa: xtfpga: Try software restart before simulating CPU reset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 11/95] NFSD: Keep existing listeners on portlist error Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 12/95] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 13/95] dma-debug: fix sg checks in debug_dma_map_sg() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 14/95] ASoC: wm8960: Fix clock configuration on slave mode Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 15/95] ice: fix getting UDP tunnel entry Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 16/95] netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 17/95] netfilter: ipvs: make global sysctl readonly in non-init netns Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 18/95] lan78xx: select CRC32 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 19/95] tcp: md5: Fix overlap between vrf and non-vrf keys Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 20/95] ipv6: When forwarding count rx stats on the orig netdev Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 21/95] net: dsa: lantiq_gswip: fix register definition Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 22/95] NIOS2: irqflags: rename a redefined register name Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 23/95] powerpc/smp: do not decrement idle task preempt count in CPU offline Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 24/95] net: hns3: reset DWRR of unused tc to zero Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 25/95] net: hns3: add limit ets dwrr bandwidth cannot be 0 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 26/95] net: hns3: schedule the polling again when allocation fails Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 27/95] net: hns3: fix vf reset workqueue cannot exit Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 28/95] net: hns3: disable sriov before unload hclge layer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 29/95] net: stmmac: Fix E2E delay mechanism Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 30/95] e1000e: Fix packet loss on Tiger Lake and later Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 31/95] ice: Add missing E810 device ids Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 32/95] drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 33/95] net: enetc: fix ethtool counter name for PM0_TERR Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 34/95] can: rcar_can: fix suspend/resume Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 35/95] can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 36/95] can: peak_pci: peak_pci_remove(): fix UAF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 37/95] can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 38/95] can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 39/95] can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 40/95] can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 41/95] can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length Greg Kroah-Hartman
2021-10-25 19:14 ` Greg Kroah-Hartman [this message]
2021-10-25 19:14 ` [PATCH 5.10 43/95] ceph: skip existing superblocks that are blocklisted or shut down when mounting Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 44/95] ceph: fix handling of "meta" errors Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 45/95] ocfs2: fix data corruption after conversion from inline format Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 46/95] ocfs2: mount fails with buffer overflow in strlen Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 47/95] userfaultfd: fix a race between writeprotect and exit_mmap() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 48/95] elfcore: correct reference to CONFIG_UML Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 49/95] vfs: check fd has read access in kernel_read_file_from_fd() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 50/95] ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 51/95] ALSA: hda/realtek: Add quirk for Clevo PC50HS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 52/95] ASoC: DAPM: Fix missing kctl change notifications Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 53/95] audit: fix possible null-pointer dereference in audit_filter_rules Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 54/95] net: dsa: mt7530: correct ds->num_ports Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 55/95] powerpc64/idle: Fix SP offsets when saving GPRs Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 56/95] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 57/95] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 58/95] powerpc/idle: Dont corrupt back chain when going idle Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 59/95] mm, slub: fix mismatch between reconstructed freelist depth and cnt Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 60/95] mm, slub: fix potential memoryleak in kmem_cache_open() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 61/95] mm, slub: fix incorrect memcg slab count for bulk free Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 62/95] KVM: nVMX: promptly process interrupts delivered while in guest mode Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 63/95] nfc: nci: fix the UAF of rf_conn_info object Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 64/95] isdn: cpai: check ctr->cnr to avoid array index out of bound Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 65/95] netfilter: Kconfig: use default y instead of m for bool config option Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 66/95] selftests: netfilter: remove stray bash debug line Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 67/95] net: bridge: mcast: use multicast_membership_interval for IGMPv3 Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 68/95] drm: mxsfb: Fix NULL pointer dereference crash on unload Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 69/95] net: hns3: fix the max tx size according to user manual Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 70/95] gcc-plugins/structleak: add makefile var for disabling structleak Greg Kroah-Hartman
2021-10-25 20:56 ` Pavel Machek
2021-10-25 21:07 ` Brendan Higgins
2021-10-25 21:40 ` Pavel Machek
2021-10-25 19:15 ` [PATCH 5.10 71/95] ALSA: hda: intel: Allow repeatedly probing on codec configuration errors Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 72/95] btrfs: deal with errors when checking if a dir entry exists during log replay Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 73/95] net: stmmac: add support for dwmac 3.40a Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 74/95] ARM: dts: spear3xx: Fix gmac node Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 75/95] isdn: mISDN: Fix sleeping function called from invalid context Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 76/95] platform/x86: intel_scu_ipc: Update timeout value in comment Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 77/95] ALSA: hda: avoid write to STATESTS if controller is in reset Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 78/95] libperf tests: Fix test_stat_cpu Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 79/95] perf/x86/msr: Add Sapphire Rapids CPU support Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 80/95] Input: snvs_pwrkey - add clk handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 81/95] scsi: iscsi: Fix set_param() handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 82/95] scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 83/95] sched/scs: Reset the shadow stack when idle_task_exit Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 84/95] net: hns3: fix for miscalculation of rx unused desc Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 85/95] scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 86/95] can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 87/95] s390/pci: fix zpci_zdev_put() on reserve Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 88/95] bpf, test, cgroup: Use sk_{alloc,free} for test cases Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 89/95] usbnet: sanity check for maxpacket Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 90/95] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 91/95] tracing: Have all levels of checks prevent recursion Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 92/95] e1000e: Separate TGP board type from SPT Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 93/95] selftests: bpf: fix backported ASSERT_FALSE Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 94/95] ARM: 9122/1: select HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 95/95] pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume() Greg Kroah-Hartman
2021-10-25 21:09 ` [PATCH 5.10 00/95] 5.10.76-rc1 review Florian Fainelli
2021-10-25 21:37 ` Pavel Machek
2021-10-26 0:59 ` Shuah Khan
2021-10-26 1:14 ` Fox Chen
2021-10-26 7:17 ` Naresh Kamboju
2021-10-26 18:27 ` Sudip Mukherjee
2021-10-26 19:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025191002.844934664@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).