From: Wolfgang Grandegger Date: Thu, 7 Jan 2010 09:43:06 +0000 (+0000) Subject: can: mscan: fix improper return if dlc < 8 in start_xmit function X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=2d4b6faf7d1818e9a52ae9f068ab4ffd9c3be923;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git can: mscan: fix improper return if dlc < 8 in start_xmit function The start_xmit function of the MSCAN Driver did return improperly if the CAN dlc check failed (skb not freed and invalid return code). This patch adds a proper check of the frame lenght and data size and returns now correctly. The invalid skb packets are dropped silently as suggested by David Miller in the thread "[RFC] ndo_validate_skb: Let the netdev check a valid skb content" on the netdev mailing list. Furthermore, a typo has been fixed. Signed-off-by: Wolfgang Grandegger Reviewed-by: Wolfram Sang Signed-off-by: David S. Miller --- diff --git a/drivers/net/can/mscan/mscan.c b/drivers/net/can/mscan/mscan.c index 07346f880ca6..0dcbe8cfab64 100644 --- a/drivers/net/can/mscan/mscan.c +++ b/drivers/net/can/mscan/mscan.c @@ -4,7 +4,7 @@ * Copyright (C) 2005-2006 Andrey Volkov , * Varma Electronics Oy * Copyright (C) 2008-2009 Wolfgang Grandegger - * Copytight (C) 2008-2009 Pengutronix + * Copyright (C) 2008-2009 Pengutronix * * This program is free software; you can redistribute it and/or modify * it under the terms of the version 2 of the GNU General Public License @@ -177,8 +177,11 @@ static netdev_tx_t mscan_start_xmit(struct sk_buff *skb, struct net_device *dev) int i, rtr, buf_id; u32 can_id; - if (frame->can_dlc > 8) - return -EINVAL; + if (skb->len != sizeof(*frame) || frame->can_dlc > 8) { + kfree_skb(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } out_8(®s->cantier, 0);