OrgApache/incubator-nuttx
OrgApache
/
incubator-nuttx
mirror of https://github.com/apache/incubator-nuttx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

can: prevent integer overflow in can_write 

Because buflen is size_t (unsigned) and nsent is ssize_t (signed)
of the same size, (buflen - nsent) results in unsigned and
overflows if nsent > buflen.

This happens when sending CAN FD frame with DLC > 8 and a user
gets the buflen parameter as a result of CAN_MSGLEN(len)
where `len' is the size of data which is less then a size
for some extended DLC  (e.g. 26 bytes is sent in a message with
DLC 0xD, which has 32 bytes of data).

The correct buflen value should be rather
  CAN_MSGLEN(can_dlc2bytes(can_bytes2dlc(len)))

Signed-off-by: Jaroslav Beran <jara.beran@gmail.com>
This commit is contained in:
Jaroslav Beran 2021-03-19 11:19:49 +01:00 committed by Xiang Xiao
parent a0f5892be9
commit 7c96a25ec1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/can/can.c
View File

@ -811,7 +811,7 @@ static ssize_t can_write(FAR struct file *filep, FAR const char *buffer,
* shorter than the minimum.
*/
while ((buflen - nsent) >= CAN_MSGLEN(0))
while (((ssize_t)buflen - nsent) >= CAN_MSGLEN(0))
{
/* Check if adding this new message would over-run the drivers ability
* to enqueue xmit data.