Message ID | 20230405092444.1802340-2-mkl@pengutronix.de (mailing list archive) |
---|---|
State | Accepted |
Commit | b45193cb4df556fe6251b285a5ce44046dd36b4a |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net,1/4] can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access | expand |
Hello: This series was applied to netdev/net.git (main) by Marc Kleine-Budde <mkl@pengutronix.de>: On Wed, 5 Apr 2023 11:24:41 +0200 you wrote: > From: Oleksij Rempel <o.rempel@pengutronix.de> > > In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access > could occur during the memcpy() operation if the size of skb->cb is > larger than the size of struct j1939_sk_buff_cb. This is because the > memcpy() operation uses the size of skb->cb, leading to a read beyond > the struct j1939_sk_buff_cb. > > [...] Here is the summary with links: - [net,1/4] can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access https://git.kernel.org/netdev/net/c/b45193cb4df5 - [net,2/4] can: isotp: isotp_recvmsg(): use sock_recv_cmsgs() to get SOCK_RXQ_OVFL infos https://git.kernel.org/netdev/net/c/0145462fc802 - [net,3/4] can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events https://git.kernel.org/netdev/net/c/79e19fa79cb5 - [net,4/4] can: isotp: fix race between isotp_sendsmg() and isotp_release() https://git.kernel.org/netdev/net/c/051737439eae You are awesome, thank you!
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index fb92c3609e17..fe3df23a2595 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j1939_priv *priv, /* reserve CAN header */ skb_reserve(skb, offsetof(struct can_frame, data)); - memcpy(skb->cb, re_skcb, sizeof(skb->cb)); + /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */ + BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb)); + + memcpy(skb->cb, re_skcb, sizeof(*re_skcb)); skcb = j1939_skb_to_cb(skb); if (swap_src_dst) j1939_skbcb_swap(skcb);