From 233a26e85f9a72bcd0cdb7a95d1d5abcd052369f Mon Sep 17 00:00:00 2001 From: Maximilian Schneider Date: Tue, 2 Jul 2013 23:43:29 +0000 Subject: net: can: esd_usb2: check index of array before accessing The esd_usb2_read_bulk_callback() function is parsing the data that comes from the USB CAN adapter. One datum is used as an index to access the dev->nets[] array. This patch adds the missing bounds checking. Acked-by: Matthias Fuchs Signed-off-by: Maximilian Schneider Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/esd_usb2.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'drivers/net/can') diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c index 6aa7b3266c8..ac6177d3bef 100644 --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -412,10 +412,20 @@ static void esd_usb2_read_bulk_callback(struct urb *urb) switch (msg->msg.hdr.cmd) { case CMD_CAN_RX: + if (msg->msg.rx.net >= dev->net_count) { + dev_err(dev->udev->dev.parent, "format error\n"); + break; + } + esd_usb2_rx_can_msg(dev->nets[msg->msg.rx.net], msg); break; case CMD_CAN_TX: + if (msg->msg.txdone.net >= dev->net_count) { + dev_err(dev->udev->dev.parent, "format error\n"); + break; + } + esd_usb2_tx_done_msg(dev->nets[msg->msg.txdone.net], msg); break; -- cgit v1.2.3-18-g5258 From 7671986839f9207f8d76e8ef92b2d3f263a794cc Mon Sep 17 00:00:00 2001 From: Alexey Khoroshilov Date: Thu, 18 Jul 2013 01:20:33 +0400 Subject: can: usb_8dev: fix urb leak on failure path in usb_8dev_start() If usb_8dev_start() fails to submit urb, it unanchors the urb but forgets to free it. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/usb_8dev.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/net/can') diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index cbd388eea68..8becd3d838b 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -779,6 +779,7 @@ static int usb_8dev_start(struct usb_8dev_priv *priv) usb_unanchor_urb(urb); usb_free_coherent(priv->udev, RX_BUFFER_SIZE, buf, urb->transfer_dma); + usb_free_urb(urb); break; } -- cgit v1.2.3-18-g5258