This is a note to let you know that I've just added the patch titled
ca8210: fix mac_len negative array access
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ca8210-fix-mac_len-negative-array-access.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 141ee3b03517b66735866b49de89f9b2ad98a36f
Author: Alexander Aring <aahringo@xxxxxxxxxx>
Date: Thu Feb 16 23:25:04 2023 -0500
ca8210: fix mac_len negative array access
[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
This patch fixes a buffer overflow access of skb->data if
ieee802154_hdr_peek_addrs() fails.
Reported-by: lianhui tang <bluetlh@xxxxxxxxx>
Signed-off-by: Alexander Aring <aahringo@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@xxxxxxxxxx
Signed-off-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 0362917fce7a9..e2322bc3a4e9a 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -1956,6 +1956,8 @@ static int ca8210_skb_tx(
* packet
*/
mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+ if (mac_len < 0)
+ return mac_len;
secspec.security_level = header.sec.level;
secspec.key_id_mode = header.sec.key_id_mode;
