Re: [PATCH net] net/sched: em_canid: add length check before reading CAN ID
From: Eric Dumazet
Date: Tue Nov 25 2025 - 23:17:44 EST
On Tue, Nov 25, 2025 at 7:46 PM <ssrane_b23@xxxxxxxxxxxxx> wrote:
>
> From: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
>
> Add a check to verify that the skb has at least sizeof(canid_t) bytes
> before reading the CAN ID from skb->data. This prevents reading
> uninitialized memory when processing malformed packets that don't
> contain a valid CAN frame.
>
> Reported-by: syzbot+5d8269a1e099279152bc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
> Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
> Signed-off-by: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
> ---
> net/sched/em_canid.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
> index 5337bc462755..a9b6cab70ff1 100644
> --- a/net/sched/em_canid.c
> +++ b/net/sched/em_canid.c
> @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
> int i;
> const struct can_filter *lp;
>
> + if (skb->len < sizeof(canid_t))
> + return 0;
> +
Please keep in mind that this test is not enough, even if it may
prevent a particular syzbot repro from triggering a bug.
Take a look at pskb_may_pull() for details.