diff options
| author | Marc Kleine-Budde <mkl@pengutronix.de> | 2026-03-19 19:16:03 +0300 |
|---|---|---|
| committer | Marc Kleine-Budde <mkl@pengutronix.de> | 2026-03-19 19:16:03 +0300 |
| commit | cce598ffc6afd01e7a780051f3ac624b60aa2ee4 (patch) | |
| tree | bb10ebe9c2f5ec63fb035a3a216e14ab6957087b /net | |
| parent | 46eee1661aa9b49966e6c43d07126fe408edda57 (diff) | |
| parent | 424e95d62110cdbc8fd12b40918f37e408e35a92 (diff) | |
| download | linux-cce598ffc6afd01e7a780051f3ac624b60aa2ee4.tar.xz | |
Merge patch series "can: fix can-gw Out-of-Bounds Heap R/W and isotp UAF"
Marc Kleine-Budde <mkl@pengutronix.de> says:
This series is by Ali Norouzi and Oliver Hartkopp fixing a can-gw
Out-of-Bounds Heap R/W and can-isotp UAF.
Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Diffstat (limited to 'net')
| -rw-r--r-- | net/can/gw.c | 6 | ||||
| -rw-r--r-- | net/can/isotp.c | 24 |
2 files changed, 21 insertions, 9 deletions
diff --git a/net/can/gw.c b/net/can/gw.c index 8ee4d67a07d3..0ec99f68aa45 100644 --- a/net/can/gw.c +++ b/net/can/gw.c @@ -375,10 +375,10 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf, return; if (from <= to) { - for (i = crc8->from_idx; i <= crc8->to_idx; i++) + for (i = from; i <= to; i++) crc = crc8->crctab[crc ^ cf->data[i]]; } else { - for (i = crc8->from_idx; i >= crc8->to_idx; i--) + for (i = from; i >= to; i--) crc = crc8->crctab[crc ^ cf->data[i]]; } @@ -397,7 +397,7 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf, break; } - cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val; + cf->data[res] = crc ^ crc8->final_xor_val; } static void cgw_csum_crc8_pos(struct canfd_frame *cf, diff --git a/net/can/isotp.c b/net/can/isotp.c index da3b72e7afcc..2770f43f4951 100644 --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -1248,12 +1248,6 @@ static int isotp_release(struct socket *sock) so->ifindex = 0; so->bound = 0; - if (so->rx.buf != so->rx.sbuf) - kfree(so->rx.buf); - - if (so->tx.buf != so->tx.sbuf) - kfree(so->tx.buf); - sock_orphan(sk); sock->sk = NULL; @@ -1622,6 +1616,21 @@ static int isotp_notifier(struct notifier_block *nb, unsigned long msg, return NOTIFY_DONE; } +static void isotp_sock_destruct(struct sock *sk) +{ + struct isotp_sock *so = isotp_sk(sk); + + /* do the standard CAN sock destruct work */ + can_sock_destruct(sk); + + /* free potential extended PDU buffers */ + if (so->rx.buf != so->rx.sbuf) + kfree(so->rx.buf); + + if (so->tx.buf != so->tx.sbuf) + kfree(so->tx.buf); +} + static int isotp_init(struct sock *sk) { struct isotp_sock *so = isotp_sk(sk); @@ -1666,6 +1675,9 @@ static int isotp_init(struct sock *sk) list_add_tail(&so->notifier, &isotp_notifier_list); spin_unlock(&isotp_notifier_lock); + /* re-assign default can_sock_destruct() reference */ + sk->sk_destruct = isotp_sock_destruct; + return 0; } |