can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM

commit 164051a6ab5445bd97f719f50b16db8b32174269 upstream.

The TP.CM_BAM message must be sent to the global address [1], so add a
check to drop TP.CM_BAM sent to a non-global address.

Without this patch, the receiver will treat the following packets as
normal RTS/CTS transport:
18EC0102#20090002FF002301
18EB0102#0100000000000000
18EB0102#020000FFFFFFFFFF

[1] SAE-J1939-82 2015 A.3.3 Row 1.

Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/1635431907-15617-4-git-send-email-zhangchangzhong@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index fe35fdad35c9ba70c4c63146cb337c4f4c7a3964..9c39b0f5d6e07d3dabc1b649ecffe1b2ddd88340 100644 (file)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -2004,6 +2004,12 @@ static void j1939_tp_cmd_recv(struct j1939_priv *priv, struct sk_buff *skb)
                extd = J1939_ETP;
                fallthrough;
        case J1939_TP_CMD_BAM:
+               if (cmd == J1939_TP_CMD_BAM && !j1939_cb_is_broadcast(skcb)) {
+                       netdev_err_once(priv->ndev, "%s: BAM to unicast (%02x), ignoring!\n",
+                                       __func__, skcb->addr.sa);
+                       return;
+               }
+               fallthrough;
        case J1939_TP_CMD_RTS: /* fall through */
                if (skcb->addr.type != extd)
                        return;