From 2d4b6faf7d1818e9a52ae9f068ab4ffd9c3be923 Mon Sep 17 00:00:00 2001 From: Wolfgang Grandegger Date: Thu, 7 Jan 2010 09:43:06 +0000 Subject: [PATCH] can: mscan: fix improper return if dlc < 8 in start_xmit function The start_xmit function of the MSCAN Driver did return improperly if the CAN dlc check failed (skb not freed and invalid return code). This patch adds a proper check of the frame lenght and data size and returns now correctly. The invalid skb packets are dropped silently as suggested by David Miller in the thread "[RFC] ndo_validate_skb: Let the netdev check a valid skb content" on the netdev mailing list. Furthermore, a typo has been fixed. Signed-off-by: Wolfgang Grandegger Reviewed-by: Wolfram Sang Signed-off-by: David S. Miller --- drivers/net/can/mscan/mscan.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/can/mscan/mscan.c b/drivers/net/can/mscan/mscan.c index 07346f880ca6..0dcbe8cfab64 100644 --- a/drivers/net/can/mscan/mscan.c +++ b/drivers/net/can/mscan/mscan.c @@ -4,7 +4,7 @@ * Copyright (C) 2005-2006 Andrey Volkov , * Varma Electronics Oy * Copyright (C) 2008-2009 Wolfgang Grandegger - * Copytight (C) 2008-2009 Pengutronix + * Copyright (C) 2008-2009 Pengutronix * * This program is free software; you can redistribute it and/or modify * it under the terms of the version 2 of the GNU General Public License @@ -177,8 +177,11 @@ static netdev_tx_t mscan_start_xmit(struct sk_buff *skb, struct net_device *dev) int i, rtr, buf_id; u32 can_id; - if (frame->can_dlc > 8) - return -EINVAL; + if (skb->len != sizeof(*frame) || frame->can_dlc > 8) { + kfree_skb(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } out_8(®s->cantier, 0);