Re: [PATCH] ems_usb: CAN/USB driver for EMS CPC-USB/ARM7 CAN interfaces

Wed, 09 Sep 2009 12:58:53 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wolfgang Grandegger wrote:
> Hi Oliver,
> 
> On 09/09/2009 09:25 AM, Oliver Hartkopp wrote:
>> Sebastian Haas wrote:
> [snip]
>>> +   cf = (struct can_frame *)skb_put(skb, sizeof(struct can_frame));
>>> +   memset(cf, 0, sizeof(struct can_frame));
>> Please remove the memset.
>>
>>> +
>>> +   cf->can_id  = msg->msg.canmsg.id;
>>> +   cf->can_dlc = msg->msg.canmsg.length>  8 ? 8 : msg->msg.canmsg.length;
>>> +
>>> +   if (msg->type == CPC_MSG_T_XCAN || msg->type == CPC_MSG_T_XRTR)
>>> +           cf->can_id |= CAN_EFF_FLAG;
>>> +
>>> +   if (msg->type == CPC_MSG_T_RTR || msg->type == CPC_MSG_T_XRTR) {
>>> +           cf->can_id |= CAN_RTR_FLAG;
>>> +   } else {
>>> +           *(u64 *)(&cf->data) = 0; /* clear payload */
>> And this also (which is also doubled regarding the memset() above).
>>
>> can_dlc gives the information about valid data[] and the rest may be
>> uninitialized.
>>
>> @Wolfgang: Is the leakage of kernel memory a problem in this case?
>>
>> Like here:
>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84b90ae5eb3c112d1f208964df1d8156a538289
> 
> Well, I do not understand why a missing memset could cause a memory 
> leak. Do you have more information?

The whole canframe is copied into userspace, if we e.g. receive a RTR
frame with dlc == 0 and don't memset the 8 data bytes we copy ("leak") 8
bytes of more or less random kernel memory to userspace.

This might be the problem....

cheers, Marc

- --
Pengutronix e.K.                         | Marc Kleine-Budde           |
Linux Solutions for Science and Industry | Phone: +49-231-2826-924     |
Vertretung West/Dortmund                 | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686         | http://www.pengutronix.de   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqoCPAACgkQjTAFq1RaXHOH8QCbBdesyGI5y8OyOWI5Ss53p+ae
4AkAmwdNPeGX/ldnHNejGFDXVaTdDKxK
=oHOF
-----END PGP SIGNATURE-----
_______________________________________________
Socketcan-core mailing list
Socketcan-core@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/socketcan-core

Reply via email to