From 7c96a25ec1fde449b5c4fb511ddb54f864c19cb3 Mon Sep 17 00:00:00 2001 From: Jaroslav Beran Date: Fri, 19 Mar 2021 11:19:49 +0100 Subject: [PATCH] can: prevent integer overflow in can_write Because buflen is size_t (unsigned) and nsent is ssize_t (signed) of the same size, (buflen - nsent) results in unsigned and overflows if nsent > buflen. This happens when sending CAN FD frame with DLC > 8 and a user gets the buflen parameter as a result of CAN_MSGLEN(len) where `len' is the size of data which is less then a size for some extended DLC (e.g. 26 bytes is sent in a message with DLC 0xD, which has 32 bytes of data). The correct buflen value should be rather CAN_MSGLEN(can_dlc2bytes(can_bytes2dlc(len))) Signed-off-by: Jaroslav Beran --- drivers/can/can.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/can/can.c b/drivers/can/can.c index 4be8099fe7..cb6d7e27e7 100644 --- a/drivers/can/can.c +++ b/drivers/can/can.c @@ -811,7 +811,7 @@ static ssize_t can_write(FAR struct file *filep, FAR const char *buffer, * shorter than the minimum. */ - while ((buflen - nsent) >= CAN_MSGLEN(0)) + while (((ssize_t)buflen - nsent) >= CAN_MSGLEN(0)) { /* Check if adding this new message would over-run the drivers ability * to enqueue xmit data.