ca8210: fix mac_len negative array access

This patch fixes a buffer overflow access of skb->data if ieee802154_hdr_peek_addrs() fails. Reported-by: lianhui tang <bluetlh@gmail.com> Signed-off-by: Alexander Aring <aahringo@redhat.com> Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.comSigned-off-by: Stefan Schmidt <stefan@datenfreihafen.org>

ca8210: fix mac_len negative array access
This patch fixes a buffer overflow access of skb->data if ieee802154_hdr_peek_addrs() fails. Reported-by: lianhui tang <bluetlh@gmail.com> Signed-off-by: Alexander Aring <aahringo@redhat.com> Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.comSigned-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
6c993779 · Alexander Aring · Stefan Schmidt · 044c8bf7 · 6c993779
Commit 6c993779 authored Feb 16, 2023 by Alexander Aring Committed by Stefan Schmidt Mar 02, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

drivers/net/ieee802154/ca8210.c drivers/net/ieee802154/ca8210.c +2 -0

No files found.
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -1913,6 +1913,8 @@ static int ca8210_skb_tx(
 	 * packet
 	 */
 	mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+	if (mac_len < 0)
+		return mac_len;

 	secspec.security_level = header.sec.level;
 	secspec.key_id_mode = header.sec.key_id_mode;