can: prevent integer overflow in can_write
Because buflen is size_t (unsigned) and nsent is ssize_t (signed) of the same size, (buflen - nsent) results in unsigned and overflows if nsent > buflen. This happens when sending CAN FD frame with DLC > 8 and a user gets the buflen parameter as a result of CAN_MSGLEN(len) where `len' is the size of data which is less then a size for some extended DLC (e.g. 26 bytes is sent in a message with DLC 0xD, which has 32 bytes of data). The correct buflen value should be rather CAN_MSGLEN(can_dlc2bytes(can_bytes2dlc(len))) Signed-off-by: Jaroslav Beran <jara.beran@gmail.com>
This commit is contained in:
parent
a0f5892be9
commit
7c96a25ec1
|
@ -811,7 +811,7 @@ static ssize_t can_write(FAR struct file *filep, FAR const char *buffer,
|
||||||
* shorter than the minimum.
|
* shorter than the minimum.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
while ((buflen - nsent) >= CAN_MSGLEN(0))
|
while (((ssize_t)buflen - nsent) >= CAN_MSGLEN(0))
|
||||||
{
|
{
|
||||||
/* Check if adding this new message would over-run the drivers ability
|
/* Check if adding this new message would over-run the drivers ability
|
||||||
* to enqueue xmit data.
|
* to enqueue xmit data.
|
||||||
|
|
Loading…
Reference in New Issue