diff options
author | Wolfgang Grandegger <wg@denx.de> | 2010-01-07 09:43:06 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-01-08 01:02:17 -0800 |
commit | 2d4b6faf7d1818e9a52ae9f068ab4ffd9c3be923 (patch) | |
tree | ea83652ec221c38122ac4cc524e365db81b9d4c7 /drivers/net/can/mscan | |
parent | 5856b606e69d3e4dc2d718b475e216eb30ee2006 (diff) | |
download | op-kernel-dev-2d4b6faf7d1818e9a52ae9f068ab4ffd9c3be923.zip op-kernel-dev-2d4b6faf7d1818e9a52ae9f068ab4ffd9c3be923.tar.gz |
can: mscan: fix improper return if dlc < 8 in start_xmit function
The start_xmit function of the MSCAN Driver did return improperly if
the CAN dlc check failed (skb not freed and invalid return code). This
patch adds a proper check of the frame lenght and data size and returns
now correctly. The invalid skb packets are dropped silently as suggested
by David Miller in the thread "[RFC] ndo_validate_skb: Let the netdev
check a valid skb content" on the netdev mailing list.
Furthermore, a typo has been fixed.
Signed-off-by: Wolfgang Grandegger <wg@denx.de>
Reviewed-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/can/mscan')
-rw-r--r-- | drivers/net/can/mscan/mscan.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/net/can/mscan/mscan.c b/drivers/net/can/mscan/mscan.c index 07346f88..0dcbe8c 100644 --- a/drivers/net/can/mscan/mscan.c +++ b/drivers/net/can/mscan/mscan.c @@ -4,7 +4,7 @@ * Copyright (C) 2005-2006 Andrey Volkov <avolkov@varma-el.com>, * Varma Electronics Oy * Copyright (C) 2008-2009 Wolfgang Grandegger <wg@grandegger.com> - * Copytight (C) 2008-2009 Pengutronix <kernel@pengutronix.de> + * Copyright (C) 2008-2009 Pengutronix <kernel@pengutronix.de> * * This program is free software; you can redistribute it and/or modify * it under the terms of the version 2 of the GNU General Public License @@ -177,8 +177,11 @@ static netdev_tx_t mscan_start_xmit(struct sk_buff *skb, struct net_device *dev) int i, rtr, buf_id; u32 can_id; - if (frame->can_dlc > 8) - return -EINVAL; + if (skb->len != sizeof(*frame) || frame->can_dlc > 8) { + kfree_skb(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } out_8(®s->cantier, 0); |