lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251126034601.236922-1-ssranevjti@gmail.com>
Date: Wed, 26 Nov 2025 09:16:01 +0530
From: ssrane_b23@...vjti.ac.in
To: socketcan@...tkopp.net
Cc: mkl@...gutronix.de,
	jhs@...atatu.com,
	xiyou.wangcong@...il.com,
	jiri@...nulli.us,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	linux-can@...r.kernel.org,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org,
	linux-kernel-mentees@...ts.linux.dev,
	david.hunter.linux@...il.com,
	khalid@...nel.org,
	Shaurya Rane <ssrane_b23@...vjti.ac.in>,
	syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
Subject: [PATCH net] net/sched: em_canid: add length check before reading CAN ID

From: Shaurya Rane <ssrane_b23@...vjti.ac.in>

Add a check to verify that the skb has at least sizeof(canid_t) bytes
before reading the CAN ID from skb->data. This prevents reading
uninitialized memory when processing malformed packets that don't
contain a valid CAN frame.

Reported-by: syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
---
 net/sched/em_canid.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
index 5337bc462755..a9b6cab70ff1 100644
--- a/net/sched/em_canid.c
+++ b/net/sched/em_canid.c
@@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
 	int i;
 	const struct can_filter *lp;
 
+	if (skb->len < sizeof(canid_t))
+		return 0;
+
 	can_id = em_canid_get_id(skb);
 
 	if (can_id & CAN_EFF_FLAG) {
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ