This is an automated email from the ASF dual-hosted git repository.

acassis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git


The following commit(s) were added to refs/heads/master by this push:
     new b840bf6552b drivers/can/ctucanfd_pci: Fix Malformed CAN Data Msg 
(address off-by-one)
b840bf6552b is described below

commit b840bf6552bb01ccecb8cc972c176e3faad543a2
Author: Catalin Visinescu <[email protected]>
AuthorDate: Wed Jun 17 09:50:11 2026 -0400

    drivers/can/ctucanfd_pci: Fix Malformed CAN Data Msg (address off-by-one)
    
    PR https://github.com/apache/nuttx/pull/19139 addresses the issue, but there
    is one minor problem. In the for loop the element `i+1` is written which
    means there can still be an overflow by one element (uint32_t or 4 bytes).
    
    Addressing here with this PR.
    
    Tested locally, builds fine.
    
    Signed-off-by: Catalin Visinescu <[email protected]>
---
 drivers/can/ctucanfd_pci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/can/ctucanfd_pci.c b/drivers/can/ctucanfd_pci.c
index 62382c3cbbb..d8287b8fbd8 100644
--- a/drivers/can/ctucanfd_pci.c
+++ b/drivers/can/ctucanfd_pci.c
@@ -762,7 +762,7 @@ static void ctucanfd_chardev_receive(FAR struct 
ctucanfd_can_s *priv)
 
       /* buff[0] populated the frame->fmt.rwcnt. Check before use. */
 
-      if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]))
+      if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]) - 1)
         {
           canerr("ERROR: CAN read/write count is too large.  Dropped\n");
           return;
@@ -1259,7 +1259,7 @@ static FAR netpkt_t *ctucanfd_sock_recv(FAR struct 
netdev_lowerhalf_s *dev)
 
   /* buff[0] populated the frame->fmt.rwcnt. Check before use. */
 
-  if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]))
+  if (frame->fmt.rwcnt > sizeof(buff) / sizeof(buff[0]) - 1)
     {
       canerr("ERROR: CAN read/write count is too large.  Dropped\n");
       return NULL;

Reply via email to