This is an automated email from the ASF dual-hosted git repository.
xiaoxiang781216 pushed a commit to branch releases/13.0
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/releases/13.0 by this push:
new 63c095ffefe drivers/can/ctucanfd_pci: Fix Malformed CAN Data Msg
(address off-by-one)
63c095ffefe is described below
commit 63c095ffefee5e62e64e081a03d2f6bd759bc1fe
Author: Catalin Visinescu <[email protected]>
AuthorDate: Wed Jun 17 09:50:11 2026 -0400
drivers/can/ctucanfd_pci: Fix Malformed CAN Data Msg (address off-by-one)
PR https://github.com/apache/nuttx/pull/19139 addresses the issue, but there
is one minor problem. In the for loop the element `i+1` is written which
means there can still be an overflow by one element (uint32_t or 4 bytes).
Addressing here with this PR.
Tested locally, builds fine.
Signed-off-by: Catalin Visinescu <[email protected]>
---
drivers/can/ctucanfd_pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/can/ctucanfd_pci.c b/drivers/can/ctucanfd_pci.c
index 62382c3cbbb..d8287b8fbd8 100644
--- a/drivers/can/ctucanfd_pci.c
+++ b/drivers/can/ctucanfd_pci.c
@@ -762,7 +762,7 @@ static void ctucanfd_chardev_receive(FAR struct
ctucanfd_can_s *priv)
/* buff[0] populated the frame->fmt.rwcnt. Check before use. */
- if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]))
+ if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]) - 1)
{
canerr("ERROR: CAN read/write count is too large. Dropped\n");
return;
@@ -1259,7 +1259,7 @@ static FAR netpkt_t *ctucanfd_sock_recv(FAR struct
netdev_lowerhalf_s *dev)
/* buff[0] populated the frame->fmt.rwcnt. Check before use. */
- if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]))
+ if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]) - 1)
{
canerr("ERROR: CAN read/write count is too large. Dropped\n");
return NULL;