The SocketCAN implementation uses NET_ASSERT to validate the length of a user-provided buffer that can contain a socketcan_frame object before dereferencing the object. In production build, assertions may be disabled, which can cause out-of-bound reads when processing an incomplete or truncated frame.
Details
-
A userspace application issues a sendto syscall passing a pointer to a buffer and the length of the buffer
-
The zcan_sendto_ctx function processes the received data and validates the length of the buffer using only an assert statement ( sockets_can.c:L259 ) before calling socketcan_to_can_frame.
-
In socketcan_to_can_frame ( socketcan_utils.h:L40-L45 ), fields from the buffer are dereferenced without any additional validation.
Potential Impact
If the NET_ASSERT statement was compiled out in production build and an attacker can influence the length of data sent by the application, the attacker can cause out-of-bound memory read, poison internal memory structures or cause denial of service crashes. Because the accessed memory contents are sent via the network, this can further lead to exfiltrating sensitive data stored in the memory ( sockets_can.c:L263 ).
Recommended Fix
Add an explicit runtime check in zcan_sendto_ctx : if (len != sizeof(struct socketcan_frame)) return -EINVAL; . This should be a standard if check, not an assertion, to ensure safety in production builds.
Patches
main: #104654
v4.3: #104679
v4.2: #104678
v3.7: #104677
For more information
If you have any questions or comments about this advisory:
embargo: 2026-05-18
The SocketCAN implementation uses
NET_ASSERTto validate the length of a user-provided buffer that can contain asocketcan_frameobject before dereferencing the object. In production build, assertions may be disabled, which can cause out-of-bound reads when processing an incomplete or truncated frame.Details
A userspace application issues a sendto syscall passing a pointer to a buffer and the length of the buffer
The
zcan_sendto_ctxfunction processes the received data and validates the length of the buffer using only an assert statement ( sockets_can.c:L259 ) before callingsocketcan_to_can_frame.In
socketcan_to_can_frame( socketcan_utils.h:L40-L45 ), fields from the buffer are dereferenced without any additional validation.Potential Impact
If the
NET_ASSERTstatement was compiled out in production build and an attacker can influence the length of data sent by the application, the attacker can cause out-of-bound memory read, poison internal memory structures or cause denial of service crashes. Because the accessed memory contents are sent via the network, this can further lead to exfiltrating sensitive data stored in the memory ( sockets_can.c:L263 ).Recommended Fix
Add an explicit runtime check in
zcan_sendto_ctx:if (len != sizeof(struct socketcan_frame))return -EINVAL;. This should be a standard if check, not an assertion, to ensure safety in production builds.Patches
main: #104654
v4.3: #104679
v4.2: #104678
v3.7: #104677
For more information
If you have any questions or comments about this advisory:
embargo: 2026-05-18