diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-02-23 19:30:20 +0300 |
|---|---|---|
| committer | Marc Kleine-Budde <mkl@pengutronix.de> | 2026-03-02 13:03:42 +0300 |
| commit | 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 (patch) | |
| tree | 8e75189f36dddbcb9685f4d2c1021487d220ad02 | |
| parent | 38a01c9700b0dcafe97dfa9dc7531bf4a245deff (diff) | |
| download | linux-1e446fd0582ad8be9f6dafb115fc2e7245f9bea7.tar.xz | |
can: ucan: Fix infinite loop from zero-length messages
If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.
This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
| -rw-r--r-- | drivers/net/can/usb/ucan.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index c79508b1c43e..0ea0ac75e42f 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -748,7 +748,7 @@ static void ucan_read_bulk_callback(struct urb *urb) len = le16_to_cpu(m->len); /* check sanity (length of content) */ - if (urb->actual_length - pos < len) { + if ((len == 0) || (urb->actual_length - pos < len)) { netdev_warn(up->netdev, "invalid message (short; no data; l:%d)\n", urb->actual_length); |