From: Rostislav Lisovy <lisovy@gmail.com>
Date: Thu, 8 Sep 2011 13:58:01 +0000 (+0200)
Subject: Limit can_id range to avoid arbitrary write to array.
X-Git-Url: http://rtime.felk.cvut.cz/gitweb/lisovros/linux_canprio.git/commitdiff_plain/90c5aac40fb280246fef1c03c5d946f216c3de01

Limit can_id range to avoid arbitrary write to array.
---

diff --git a/net/sched/cls_canprio.c b/net/sched/cls_canprio.c
index 31512ed1028..8663edf65c0 100644
--- a/net/sched/cls_canprio.c
+++ b/net/sched/cls_canprio.c
@@ -105,7 +105,9 @@ static void canprio_sff_match_add(struct canprio_rules *rls, u32 can_id, u32 can
 	int i;
 
 	pr_debug("%s() invoked\n", __FUNCTION__);
+	/* Limit can_mask and can_id to SFF range to protect against write after end of array */
 	can_mask &= CAN_SFF_MASK;
+	can_id &= can_mask;
 
 	/* single frame */
  	if (can_mask == CAN_SFF_MASK) {
@@ -119,9 +121,7 @@ static void canprio_sff_match_add(struct canprio_rules *rls, u32 can_id, u32 can
 		return;
 	}
 
-	/* individual frame filter: reduce runtime operations */
-	can_id &= can_mask;
-
+	/* individual frame filter */
 	/* Add record (set bit to 1) for each ID that conforms particular rule */
 	for (i = 0; i < (1 << CAN_SFF_ID_BITS); i++) {
 		if ((i & can_mask) == can_id)