Limit can_id range to avoid arbitrary write to array.

diff --git a/net/sched/cls_canprio.c b/net/sched/cls_canprio.c
index 31512ed1028e93073f992094b4a5cf90daf9ae96..8663edf65c0015a487e9a344999fe0606f1aba66 100644 (file)
--- a/net/sched/cls_canprio.c
+++ b/net/sched/cls_canprio.c
@@ -105,7 +105,9 @@ static void canprio_sff_match_add(struct canprio_rules *rls, u32 can_id, u32 can
        int i;
 
        pr_debug("%s() invoked\n", __FUNCTION__);
+       /* Limit can_mask and can_id to SFF range to protect against write after end of array */
        can_mask &= CAN_SFF_MASK;
+       can_id &= can_mask;
 
        /* single frame */
        if (can_mask == CAN_SFF_MASK) {
@@ -119,9 +121,7 @@ static void canprio_sff_match_add(struct canprio_rules *rls, u32 can_id, u32 can
                return;
        }
 
-       /* individual frame filter: reduce runtime operations */
-       can_id &= can_mask;
-
+       /* individual frame filter */
        /* Add record (set bit to 1) for each ID that conforms particular rule */
        for (i = 0; i < (1 << CAN_SFF_ID_BITS); i++) {
                if ((i & can_mask) == can_id)