[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230320005636.1429242-2-sashal@kernel.org>
Date: Sun, 19 Mar 2023 20:56:25 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Alexander Aring <aahringo@...hat.com>,
lianhui tang <bluetlh@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
Sasha Levin <sashal@...nel.org>, alex.aring@...il.com,
miquel.raynal@...tlin.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
linux-wpan@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH AUTOSEL 5.4 02/12] ca8210: fix mac_len negative array access
From: Alexander Aring <aahringo@...hat.com>
[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
This patch fixes a buffer overflow access of skb->data if
ieee802154_hdr_peek_addrs() fails.
Reported-by: lianhui tang <bluetlh@...il.com>
Signed-off-by: Alexander Aring <aahringo@...hat.com>
Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com
Signed-off-by: Stefan Schmidt <stefan@...enfreihafen.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/net/ieee802154/ca8210.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 66cf09e637e4e..498a82ab4eaf4 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -1955,6 +1955,8 @@ static int ca8210_skb_tx(
* packet
*/
mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+ if (mac_len < 0)
+ return mac_len;
secspec.security_level = header.sec.level;
secspec.key_id_mode = header.sec.key_id_mode;
--
2.39.2
Powered by blists - more mailing lists