ca8210: fix mac_len negative array access

This patch fixes a buffer overflow access of skb->data if ieee802154_hdr_peek_addrs() fails. Reported-by: lianhui tang <bluetlh@gmail.com> Signed-off-by: Alexander Aring <aahringo@redhat.com> Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
2023-02-16 23:25:04 -05:00 · 2023-02-16 23:25:04 -05:00 · 6c993779ea
parent 044c8bf78d
commit 6c993779ea
1 changed files with 2 additions and 0 deletions
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@ -1913,6 +1913,8 @@ static int ca8210_skb_tx(
 	 * packet
 	 */
 	mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+	if (mac_len < 0)
+		return mac_len;

 	secspec.security_level = header.sec.level;
 	secspec.key_id_mode = header.sec.key_id_mode;