can: skb: drop tx skb if in listen only mode

Frames can be directly injected to a can driver via the packet
socket. By doing so, it is possible to reach the
net_device_ops::ndo_start_xmit function even if the driver is
configured in listen only mode.

Add a check in can_dropped_invalid_skb() to discard the skb if
CAN_CTRLMODE_LISTENONLY is set.

Link: https://lore.kernel.org/all/20220610143009.323579-8-mailhol.vincent@wanadoo.fr
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Acked-by: Max Staudt <max@enpas.org>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

diff --git a/drivers/net/can/dev/skb.c b/drivers/net/can/dev/skb.c
index dc9da76..8bb62dd 100644 (file)
--- a/drivers/net/can/dev/skb.c
+++ b/drivers/net/can/dev/skb.c
@@ -5,6 +5,7 @@
  */
 
 #include <linux/can/dev.h>
+#include <linux/can/netlink.h>
 #include <linux/module.h>
 
 #define MOD_DESC "CAN device driver interface"
@@ -293,6 +294,7 @@ static bool can_skb_headroom_valid(struct net_device *dev, struct sk_buff *skb)
 bool can_dropped_invalid_skb(struct net_device *dev, struct sk_buff *skb)
 {
        const struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+       struct can_priv *priv = netdev_priv(dev);
 
        if (skb->protocol == htons(ETH_P_CAN)) {
                if (unlikely(skb->len != CAN_MTU ||
@@ -306,8 +308,13 @@ bool can_dropped_invalid_skb(struct net_device *dev, struct sk_buff *skb)
                goto inval_skb;
        }
 
-       if (!can_skb_headroom_valid(dev, skb))
+       if (!can_skb_headroom_valid(dev, skb)) {
+               goto inval_skb;
+       } else if (priv->ctrlmode & CAN_CTRLMODE_LISTENONLY) {
+               netdev_info_once(dev,
+                                "interface in listen only mode, dropping skb\n");
                goto inval_skb;
+       }
 
        return false;