Oleksij Rempel cd3b3636c9 can: j1939: transport: j1939_session_tx_dat(): fix use-after-free read in j1939_tp_txtimer() ... The current stack implementation do not support ECTS requests of not aligned TP sized blocks. If ECTS will request a block with size and offset spanning two TP blocks, this will cause memcpy() to read beyond the queued skb (which does only contain one TP sized block). Sometimes KASAN will detect this read if the memory region beyond the skb was previously allocated and freed. In other situations it will stay undetected. The ETP transfer in any case will be corrupted. This patch adds a sanity check to avoid this kind of read and abort the session with error J1939_XTP_ABORT_ECTS_TOO_BIG. Reported-by: syzbot+5322482fe520b02aea30@syzkaller.appspotmail.com Fixes: 9d71dd0c70 ("can: add support of SAE J1939 protocol") Cc: linux-stable <stable@vger.kernel.org> # >= v5.4 Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://lore.kernel.org/r/20200807105200.26441-3-o.rempel@pengutronix.de Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>		2020-08-14 12:38:47 +02:00
..
j1939	can: j1939: transport: j1939_session_tx_dat(): fix use-after-free read in j1939_tp_txtimer()	2020-08-14 12:38:47 +02:00
af_can.c	net: can: kerneldoc fixes	2020-07-13 17:20:39 -07:00
af_can.h	can: introduce CAN midlayer private and allocate it automatically	2019-09-04 13:29:14 +02:00
bcm.c	net: make ->{get,set}sockopt in proto_ops optional	2020-07-19 18:16:41 -07:00
gw.c	can: gw: add support for CAN FD frames	2019-08-13 17:32:21 +02:00
Kconfig	treewide: replace '---help---' in Kconfig files with 'help'	2020-06-14 01:57:21 +09:00
Makefile	can: add support of SAE J1939 protocol	2019-09-04 14:22:33 +02:00
proc.c	can: introduce CAN midlayer private and allocate it automatically	2019-09-04 13:29:14 +02:00
raw.c	net: pass a sockptr_t into ->setsockopt	2020-07-24 15:41:54 -07:00