HI! > From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > [ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ] > > These values come from skb->data so Smatch considers them untrusted. I > believe Smatch is correct but I don't have a way to test this. > > The usb_if->dev[] array has 2 elements but the index is in the 0-15 > range without checks. The cfd->len can be up to 255 but the maximum > valid size is CANFD_MAX_DLEN (64) so that could lead to memory > corruption. If this is untrusted, does it need to use _nospec() variants? > index 41988358f63c8..19600d35aac55 100644 > --- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > +++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > @@ -476,12 +476,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, > struct pucan_msg *rx_msg) > { ... > const u16 rx_msg_flags = le16_to_cpu(rm->flags); > > + if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev)) > + return -ENOMEM; Furthermore, should it use -EINVAL here > + if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev)) > + return -ENOMEM; and here, and perhaps use a helper function? Best regards, Pavel -- http://www.livejournal.com/~pavelmachek
Attachment:
signature.asc
Description: Digital signature