Re: [PATCH v3] can: peak_usb: Add bounds check for USB channel index

Next message: Konrad Dybcio: "Re: [PATCH] pinctrl: qcom: sm6115: Add egpio support"
Previous message: Anandu Krishnan E: "[PATCH v1] misc: fastrpc: fix context leak and hang on signal-interrupted invoke"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vincent Mailhol

Date: Mon May 25 2026 - 08:44:15 EST

On 20/05/2026 at 07:40, James Gao wrote:
> The channel control index ctrl_idx is derived from rx->len which comes
> directly from a device USB payload. The mask 0x0f allows values 0-15,
> but the array size of usb_if->dev[] is only 2. Values 2-15 cause heap
> out-of-bounds read, eventually causing kernel panic in the IRQ context.
>
> Add bounds checking for ctrl_idx before the array access in both
> pcan_usb_pro_handle_canmsg() and pcan_usb_pro_handle_error().
>
> Fixes: d8a199355f8f ("can: usb: PEAK-System Technik PCAN-USB Pro specific part")
> Signed-off-by: James Gao <jamesgao5@xxxxxxxxxxx>

Thanks,

Reviewed-by: Vincent Mailhol <mailhol@xxxxxxxxxx>

Yours sincerely,
Vincent Mailhol