diff options
| author | David S. Miller <davem@davemloft.net> | 2020-08-14 13:57:56 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-08-14 13:57:56 -0700 |
| commit | e591d298cc7b9e2d82e701ab3fdfe7c97b692994 (patch) | |
| tree | df6499e916a8b828aa693319e5fe9221a60db71a /net/can/j1939/socket.c | |
| parent | 7fca4dee610dffbe119714231cac0d59496bc193 (diff) | |
| parent | e052d0540298bfe0f6cbbecdc7e2ea9b859575b2 (diff) | |
| download | kernel_replicant_linux-e591d298cc7b9e2d82e701ab3fdfe7c97b692994.tar.gz kernel_replicant_linux-e591d298cc7b9e2d82e701ab3fdfe7c97b692994.tar.bz2 kernel_replicant_linux-e591d298cc7b9e2d82e701ab3fdfe7c97b692994.zip | |
Merge tag 'linux-can-fixes-for-5.9-20200814' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2020-08-14
this is a pull request of 6 patches for net/master. All patches fix problems in
the j1939 CAN networking stack.
The first patch is by Eric Dumazet fixes a kernel-infoleak in
j1939_sk_sock2sockaddr_can().
The remaining 5 patches are by Oleksij Rempel and fix recption of j1939
messages not orginated by the stack, a use-after-free in j1939_tp_txtimer(),
ensure that the CAN driver has a ml_priv allocated. These problem were found by
google's syzbot. Further ETP sessions with block size of less than 255 are
fixed and a sanity check was added to j1939_xtp_rx_dat_one() to detect packet
corruption.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/can/j1939/socket.c')
| -rw-r--r-- | net/can/j1939/socket.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index 78ff9b3f1d40..b93876c57fc4 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -398,6 +398,7 @@ static int j1939_sk_init(struct sock *sk) spin_lock_init(&jsk->sk_session_queue_lock); INIT_LIST_HEAD(&jsk->sk_session_queue); sk->sk_destruct = j1939_sk_sock_destruct; + sk->sk_protocol = CAN_J1939; return 0; } @@ -466,6 +467,14 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len) goto out_release_sock; } + if (!ndev->ml_priv) { + netdev_warn_once(ndev, + "No CAN mid layer private allocated, please fix your driver and use alloc_candev()!\n"); + dev_put(ndev); + ret = -ENODEV; + goto out_release_sock; + } + priv = j1939_netdev_start(ndev); dev_put(ndev); if (IS_ERR(priv)) { @@ -553,6 +562,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr, static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr, const struct j1939_sock *jsk, int peer) { + /* There are two holes (2 bytes and 3 bytes) to clear to avoid + * leaking kernel information to user space. + */ + memset(addr, 0, J1939_MIN_NAMELEN); + addr->can_family = AF_CAN; addr->can_ifindex = jsk->ifindex; addr->can_addr.j1939.pgn = jsk->addr.pgn; |