| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220317030143.14668-1-hbh25y@gmail.com>
Date: Thu, 17 Mar 2022 11:01:43 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: rcsekar@...sung.com, wg@...ndegger.com, mkl@...gutronix.de,
davem@...emloft.net, kuba@...nel.org
Cc: linux-can@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Hangyu Hua <hbh25y@...il.com>
Subject: [PATCH] can: m_can: fix a possible use after free in m_can_tx_handler()
can_put_echo_skb will clone skb then free the skb. It is better to avoid using
skb after can_put_echo_skb.
Signed-off-by: Hangyu Hua <hbh25y@...il.com>
---
drivers/net/can/m_can/m_can.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index 1a4b56f6fa8c..98be5742f4f5 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1607,6 +1607,7 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
u32 cccr, fdflags;
int err;
int putidx;
+ unsigned int len = skb->len;
cdev->tx_skb = NULL;
@@ -1642,7 +1643,7 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
if (cdev->can.ctrlmode & CAN_CTRLMODE_FD) {
cccr = m_can_read(cdev, M_CAN_CCCR);
cccr &= ~CCCR_CMR_MASK;
- if (can_is_canfd_skb(skb)) {
+ if (len == CANFD_MTU) {
if (cf->flags & CANFD_BRS)
cccr |= FIELD_PREP(CCCR_CMR_MASK,
CCCR_CMR_CANFD_BRS);
--
2.25.1
Powered by blists - more mailing lists