Patch "ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 03 Apr 2023 15:48:34 +0200

This is a note to let you know that I've just added the patch titled

    ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 748b2f5e82d17480404b3e2895388fc2925f7caf Mon Sep 17 00:00:00 2001
From: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Date: Mon, 6 Mar 2023 11:18:24 -0800
Subject: ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()

From: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>

commit 748b2f5e82d17480404b3e2895388fc2925f7caf upstream.

mac_len is of type unsigned, which can never be less than zero.

	mac_len = ieee802154_hdr_peek_addrs(skb, &header);
	if (mac_len < 0)
		return mac_len;

Change this to type int as ieee802154_hdr_peek_addrs() can return negative
integers, this is found by static analysis with smatch.

Fixes: 6c993779ea1d ("ca8210: fix mac_len negative array access")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Acked-by: Alexander Aring <aahringo@xxxxxxxxxx>
Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20230306191824.4115839-1-harshit.m.mogalapalli@xxxxxxxxxx
Signed-off-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/ieee802154/ca8210.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -1944,10 +1944,9 @@ static int ca8210_skb_tx(
 	struct ca8210_priv  *priv
 )
 {
-	int status;
 	struct ieee802154_hdr header = { 0 };
 	struct secspec secspec;
-	unsigned int mac_len;
+	int mac_len, status;
 
 	dev_dbg(&priv->spi->dev, "ca8210_skb_tx() called\n");
 


Patches currently in stable-queue which might be from harshit.m.mogalapalli@xxxxxxxxxx are

queue-4.14/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch
queue-4.14/net-sched-cbq-dont-intepret-cls-results-when-asked-to-drop.patch






