Oleksij Rempel b45193cb4d can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access ... In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. Fixes: 9d71dd0c70 ("can: add support of SAE J1939 protocol") Reported-by: Shuangpeng Bai <sjb7183@psu.edu> Tested-by: Shuangpeng Bai <sjb7183@psu.edu> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de Cc: stable@vger.kernel.org [mkl: rephrase commit message] Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>		2023-04-05 10:51:57 +02:00
..
address-claim.c	can: j1939: do not wait 250 ms if the same addr was already claimed	2023-02-07 15:00:22 +01:00
bus.c
j1939-priv.h	can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes	2021-10-17 14:12:57 +02:00
Kconfig
main.c	can: j1939: j1939_send_one(): fix missing CAN header initialization	2022-11-07 14:00:27 +01:00
Makefile
socket.c	treewide: use get_random_u32_below() instead of deprecated function	2022-11-18 02:15:15 +01:00
transport.c	can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access	2023-04-05 10:51:57 +02:00