[PATCH 0/4] can: populate ndo_change_mtu() to prevent buffer overflow

Vincent Mailhol posted 4 patches 1 week, 6 days ago
drivers/net/can/spi/hi311x.c                | 1 +
drivers/net/can/sun4i_can.c                 | 1 +
drivers/net/can/usb/etas_es58x/es58x_core.c | 3 ++-
drivers/net/can/usb/mcba_usb.c              | 1 +
4 files changed, 5 insertions(+), 1 deletion(-)
[PATCH 0/4] can: populate ndo_change_mtu() to prevent buffer overflow
Posted by Vincent Mailhol 1 week, 6 days ago
Four drivers, namely etas_es58x, hi311x, sun4i_can and mcba_usb forgot
to populate their net_device_ops->ndo_change_mtu(). Because of that,
the user is free to configure any MTU on these interfaces.

This can be abused by an attacker who could craft some skbs and send
them through PF_PACKET to perform a buffer overflow of up to 247 bytes
in each of these drivers.

This series contains four patches, one for each of the drivers, to add
the missing ndo_change_mtu() callback. The descriptions contain
detailed explanations of how the buffer overflow could be triggered.

Signed-off-by: Vincent Mailhol <mailhol@kernel.org>
---
Vincent Mailhol (4):
      can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
      can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
      can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
      can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow

 drivers/net/can/spi/hi311x.c                | 1 +
 drivers/net/can/sun4i_can.c                 | 1 +
 drivers/net/can/usb/etas_es58x/es58x_core.c | 3 ++-
 drivers/net/can/usb/mcba_usb.c              | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)
---
base-commit: f83ec76bf285bea5727f478a68b894f5543ca76e
change-id: 20250918-can-fix-mtu-b521e1ed1a29

Best regards,
-- 
Vincent Mailhol <mailhol@kernel.org>
Re: [PATCH 0/4] can: populate ndo_change_mtu() to prevent buffer overflow
Posted by Marc Kleine-Budde 1 week, 5 days ago
On 18.09.2025 18:00:23, Vincent Mailhol wrote:
> Four drivers, namely etas_es58x, hi311x, sun4i_can and mcba_usb forgot
> to populate their net_device_ops->ndo_change_mtu(). Because of that,
> the user is free to configure any MTU on these interfaces.
> 
> This can be abused by an attacker who could craft some skbs and send
> them through PF_PACKET to perform a buffer overflow of up to 247 bytes
> in each of these drivers.
> 
> This series contains four patches, one for each of the drivers, to add
> the missing ndo_change_mtu() callback. The descriptions contain
> detailed explanations of how the buffer overflow could be triggered.
> 
> Signed-off-by: Vincent Mailhol <mailhol@kernel.org>

Added to linux-can.

Thanks,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |