mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-04 20:19:47 +08:00
e2b1e4b532
During the handling of CAN bus errors, a CAN error SKB is allocated
using alloc_can_err_skb(). Even if the allocation of the SKB fails,
the function continues in order to do the stats handling.
All access to the can_frame pointer (cf) should be guarded by an if
statement:
if (cf)
However, the increment of the rx_bytes stats:
netdev->stats.rx_bytes += cf->can_dlc;
dereferences the cf pointer and was not guarded by an if condition
leading to a NULL pointer dereference if the can_err_skb() function
failed.
Replacing the cf->can_dlc by the macro CAN_ERR_DLC (which is the
length of any CAN error frames) solves this NULL pointer dereference.
Fixes:
|
||
|---|---|---|
| .. | ||
| etas_es58x | ||
| kvaser_usb | ||
| peak_usb | ||
| ems_usb.c | ||
| esd_usb2.c | ||
| gs_usb.c | ||
| Kconfig | ||
| Makefile | ||
| mcba_usb.c | ||
| ucan.c | ||
| usb_8dev.c | ||