can: Fix data length code handling in rx path
A valid CAN dataframe can have a data length code (DLC) of 0 .. 8 data bytes.
When reading the CAN controllers register the 4-bit value may contain values
from 0 .. 15 which may exceed the reserved space in the socket buffer!
The ISO 11898-1 Chapter 8.4.2.3 (DLC field) says that register values > 8
should be reduced to 8 without any error reporting or frame drop.
This patch introduces a new helper macro to cast a given 4-bit data length
code (dlc) to __u8 and ensure the DLC value to be max. 8 bytes.
The different handlings in the rx path of the CAN netdevice drivers are fixed.
Signed-off-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
index b4ba88a..542a4f7 100644
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -293,15 +293,14 @@
uint8_t fi;
uint8_t dreg;
canid_t id;
- uint8_t dlc;
int i;
+ /* create zero'ed CAN frame buffer */
skb = alloc_can_skb(dev, &cf);
if (skb == NULL)
return;
fi = priv->read_reg(priv, REG_FI);
- dlc = fi & 0x0F;
if (fi & FI_FF) {
/* extended frame format (EFF) */
@@ -318,16 +317,15 @@
| (priv->read_reg(priv, REG_ID2) >> 5);
}
- if (fi & FI_RTR)
+ if (fi & FI_RTR) {
id |= CAN_RTR_FLAG;
+ } else {
+ cf->can_dlc = get_can_dlc(fi & 0x0F);
+ for (i = 0; i < cf->can_dlc; i++)
+ cf->data[i] = priv->read_reg(priv, dreg++);
+ }
cf->can_id = id;
- cf->can_dlc = dlc;
- for (i = 0; i < dlc; i++)
- cf->data[i] = priv->read_reg(priv, dreg++);
-
- while (i < 8)
- cf->data[i++] = 0;
/* release receive buffer */
priv->write_reg(priv, REG_CMR, CMD_RRB);
@@ -335,7 +333,7 @@
netif_rx(skb);
stats->rx_packets++;
- stats->rx_bytes += dlc;
+ stats->rx_bytes += cf->can_dlc;
}
static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status)