| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230320005413.1428452-3-sashal@kernel.org>
Date: Sun, 19 Mar 2023 20:53:45 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Alexander Aring <aahringo@...hat.com>,
lianhui tang <bluetlh@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
Sasha Levin <sashal@...nel.org>, alex.aring@...il.com,
miquel.raynal@...tlin.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
linux-wpan@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH AUTOSEL 6.1 03/29] ca8210: fix mac_len negative array access
From: Alexander Aring <aahringo@...hat.com>
[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
This patch fixes a buffer overflow access of skb->data if
ieee802154_hdr_peek_addrs() fails.
Reported-by: lianhui tang <bluetlh@...il.com>
Signed-off-by: Alexander Aring <aahringo@...hat.com>
Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com
Signed-off-by: Stefan Schmidt <stefan@...enfreihafen.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/net/ieee802154/ca8210.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index e1a569b99e4a6..0b0c6c0764fe9 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -1913,6 +1913,8 @@ static int ca8210_skb_tx(
* packet
*/
mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+ if (mac_len < 0)
+ return mac_len;
secspec.security_level = header.sec.level;
secspec.key_id_mode = header.sec.key_id_mode;
--
2.39.2
Powered by blists - more mailing lists