Skip to content

Commit a3ed215

Browse files
marckleinebuddemarckleinebudde
committed
Merge patch series "can: populate ndo_change_mtu() to prevent buffer overflow"
Vincent Mailhol <[email protected]> says: Four drivers, namely etas_es58x, hi311x, sun4i_can and mcba_usb forgot to populate their net_device_ops->ndo_change_mtu(). Because of that, the user is free to configure any MTU on these interfaces. This can be abused by an attacker who could craft some skbs and send them through PF_PACKET to perform a buffer overflow of up to 247 bytes in each of these drivers. This series contains four patches, one for each of the drivers, to add the missing ndo_change_mtu() callback. The descriptions contain detailed explanations of how the buffer overflow could be triggered. Link: https://patch.msgid.link/[email protected] Signed-off-by: Marc Kleine-Budde <[email protected]>
2 parents 5cff263 + 17c8d79 commit a3ed215

File tree

4 files changed

+5
-1
lines changed

4 files changed

+5
-1
lines changed

drivers/net/can/spi/hi311x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -799,6 +799,7 @@ static const struct net_device_ops hi3110_netdev_ops = {
799799
.ndo_open = hi3110_open,
800800
.ndo_stop = hi3110_stop,
801801
.ndo_start_xmit = hi3110_hard_start_xmit,
802+
.ndo_change_mtu = can_change_mtu,
802803
};
803804

804805
static const struct ethtool_ops hi3110_ethtool_ops = {

drivers/net/can/sun4i_can.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -768,6 +768,7 @@ static const struct net_device_ops sun4ican_netdev_ops = {
768768
.ndo_open = sun4ican_open,
769769
.ndo_stop = sun4ican_close,
770770
.ndo_start_xmit = sun4ican_start_xmit,
771+
.ndo_change_mtu = can_change_mtu,
771772
};
772773

773774
static const struct ethtool_ops sun4ican_ethtool_ops = {

drivers/net/can/usb/etas_es58x/es58x_core.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
* Copyright (c) 2019 Robert Bosch Engineering and Business Solutions. All rights reserved.
99
* Copyright (c) 2020 ETAS K.K.. All rights reserved.
10-
* Copyright (c) 2020-2022 Vincent Mailhol <mailhol[email protected]>
10+
* Copyright (c) 2020-2025 Vincent Mailhol <mailhol@kernel.org>
1111
*/
1212

1313
#include <linux/unaligned.h>
@@ -1977,6 +1977,7 @@ static const struct net_device_ops es58x_netdev_ops = {
19771977
.ndo_stop = es58x_stop,
19781978
.ndo_start_xmit = es58x_start_xmit,
19791979
.ndo_eth_ioctl = can_eth_ioctl_hwts,
1980+
.ndo_change_mtu = can_change_mtu,
19801981
};
19811982

19821983
static const struct ethtool_ops es58x_ethtool_ops = {

drivers/net/can/usb/mcba_usb.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -761,6 +761,7 @@ static const struct net_device_ops mcba_netdev_ops = {
761761
.ndo_open = mcba_usb_open,
762762
.ndo_stop = mcba_usb_close,
763763
.ndo_start_xmit = mcba_usb_start_xmit,
764+
.ndo_change_mtu = can_change_mtu,
764765
};
765766

766767
static const struct ethtool_ops mcba_ethtool_ops = {

0 commit comments

Comments
 (0)