From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Fri, 19 Sep 2025 17:03:04 +0000 (+0200)
Subject: Merge patch series "can: populate ndo_change_mtu() to prevent buffer overflow"
X-Git-Tag: v6.17~19^2~6^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3ed215cb2147e98981de5321fd1b1d0e3dceb1c;p=thirdparty%2Fkernel%2Fstable.git

Merge patch series "can: populate ndo_change_mtu() to prevent buffer overflow"

Vincent Mailhol <mailhol@kernel.org> says:

Four drivers, namely etas_es58x, hi311x, sun4i_can and mcba_usb forgot
to populate their net_device_ops->ndo_change_mtu(). Because of that,
the user is free to configure any MTU on these interfaces.

This can be abused by an attacker who could craft some skbs and send
them through PF_PACKET to perform a buffer overflow of up to 247 bytes
in each of these drivers.

This series contains four patches, one for each of the drivers, to add
the missing ndo_change_mtu() callback. The descriptions contain
detailed explanations of how the buffer overflow could be triggered.

Link: https://patch.msgid.link/20250918-can-fix-mtu-v1-0-0d1cada9393b@kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---

a3ed215cb2147e98981de5321fd1b1d0e3dceb1c