Re: [PATCH net] net/sched: em_canid: add length check before reading CAN ID

From: Eric Dumazet <edumazet@google.com>
Date: 2025-11-26 04:16:37
Also in: linux-can, linux-kernel-mentees, lkml

On Tue, Nov 25, 2025 at 7:46 PM [off-list ref] wrote:

quoted hunk ↗ jump to hunk

From: Shaurya Rane <redacted>

Add a check to verify that the skb has at least sizeof(canid_t) bytes
before reading the CAN ID from skb->data. This prevents reading
uninitialized memory when processing malformed packets that don't
contain a valid CAN frame.

Reported-by: syzbot+5d8269a1e099279152bc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
Signed-off-by: Shaurya Rane <redacted>
---
 net/sched/em_canid.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
index 5337bc462755..a9b6cab70ff1 100644
--- a/net/sched/em_canid.c
+++ b/net/sched/em_canid.c

@@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
        int i;
        const struct can_filter *lp;

+       if (skb->len < sizeof(canid_t))
+               return 0;
+

Please keep in mind that this test is not enough, even if it may
prevent a particular syzbot repro from triggering a bug.

Take a look at pskb_may_pull() for details.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help