Re: [PATCH net] net/sched: em_canid: add length check before reading CAN ID
From: SHAURYA RANE
Date: Tue Nov 25 2025 - 23:59:52 EST
You're right, checking skb->len alone doesn’t guarantee that the
required bytes are present in the linear data area, especially for
fragmented skbs. I’ll switch this to a proper pskb_may_pull(skb,
sizeof(canid_t)) check to ensure the CAN ID is safely accessible.
I’ll send a v2 patch with the corrected validation.
Thanks,
Shaurya
On Wed, Nov 26, 2025 at 9:46 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
>
> On Tue, Nov 25, 2025 at 7:46 PM <ssrane_b23@xxxxxxxxxxxxx> wrote:
> >
> > From: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
> >
> > Add a check to verify that the skb has at least sizeof(canid_t) bytes
> > before reading the CAN ID from skb->data. This prevents reading
> > uninitialized memory when processing malformed packets that don't
> > contain a valid CAN frame.
> >
> > Reported-by: syzbot+5d8269a1e099279152bc@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
> > Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
> > Signed-off-by: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
> > ---
> > net/sched/em_canid.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
> > index 5337bc462755..a9b6cab70ff1 100644
> > --- a/net/sched/em_canid.c
> > +++ b/net/sched/em_canid.c
> > @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
> > int i;
> > const struct can_filter *lp;
> >
> > + if (skb->len < sizeof(canid_t))
> > + return 0;
> > +
>
> Please keep in mind that this test is not enough, even if it may
> prevent a particular syzbot repro from triggering a bug.
>
> Take a look at pskb_may_pull() for details.