tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

can: ucan: Fix infinite loop from zero-length messages

If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.

This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.

Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Vincent Mailhol <mailhol@kernel.org>
Cc: stable@kernel.org
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

authored by

Greg Kroah-Hartman and committed by
Marc Kleine-Budde 1e446fd0 38a01c97

+1 -1
+1 -1
drivers/net/can/usb/ucan.c
··· 748 748 len = le16_to_cpu(m->len); 749 749 750 750 /* check sanity (length of content) */ 751 - if (urb->actual_length - pos < len) { 751 + if ((len == 0) || (urb->actual_length - pos < len)) { 752 752 netdev_warn(up->netdev, 753 753 "invalid message (short; no data; l:%d)\n", 754 754 urb->actual_length);