git.baikalelectronics.ru Git - kernel.git/commit

author	Anssi Hannula <anssi.hannula@bitwise.fi>
	Mon, 10 Oct 2022 15:08:26 +0000 (17:08 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 26 Oct 2022 11:22:13 +0000 (13:22 +0200)
commit	9bd20d58557ff763362e416411e8810377b5d6d5
tree	890ae2ab3158408d4c13e366591ad83a17470a13	tree \| snapshot
parent	8ee427fb5a84301cc9b1928274eb7d9ab69b4ea8	commit \| diff

can: kvaser_usb_leaf: Fix overread with an invalid command

commit b2b02e750d55f8d3e84f0175c2b2a5d219d29426 upstream.

For command events read from the device,
kvaser_usb_leaf_read_bulk_callback() verifies that cmd->len does not
exceed the size of the received data, but the actual kvaser_cmd handlers
will happily read any kvaser_cmd fields without checking for cmd->len.

This can cause an overread if the last cmd in the buffer is shorter than
expected for the command type (with cmd->len showing the actual short
size).

Maximum overread seems to be 22 bytes (CMD_LEAF_LOG_MESSAGE), some of
which are delivered to userspace as-is.

Fix that by verifying the length of command before handling it.

This issue can only occur after RX URBs have been set up, i.e. the
interface has been opened at least once.

Cc: stable@vger.kernel.org
Fixes: d001c8c6a4d1 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010150829.199676-2-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>