From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 3 Apr 2023 13:48:33 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.312~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2fa3760f1f4f743b47c3942b7af2162948edc026;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch
---

diff --git a/queue-4.14/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch b/queue-4.14/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch
new file mode 100644
index 00000000000..db00293505b
--- /dev/null
+++ b/queue-4.14/ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch
@@ -0,0 +1,43 @@
+From 748b2f5e82d17480404b3e2895388fc2925f7caf Mon Sep 17 00:00:00 2001
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 6 Mar 2023 11:18:24 -0800
+Subject: ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+commit 748b2f5e82d17480404b3e2895388fc2925f7caf upstream.
+
+mac_len is of type unsigned, which can never be less than zero.
+
+	mac_len = ieee802154_hdr_peek_addrs(skb, &header);
+	if (mac_len < 0)
+		return mac_len;
+
+Change this to type int as ieee802154_hdr_peek_addrs() can return negative
+integers, this is found by static analysis with smatch.
+
+Fixes: 6c993779ea1d ("ca8210: fix mac_len negative array access")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230306191824.4115839-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -1944,10 +1944,9 @@ static int ca8210_skb_tx(
+ 	struct ca8210_priv  *priv
+ )
+ {
+-	int status;
+ 	struct ieee802154_hdr header = { 0 };
+ 	struct secspec secspec;
+-	unsigned int mac_len;
++	int mac_len, status;
+ 
+ 	dev_dbg(&priv->spi->dev, "ca8210_skb_tx() called\n");
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index c56f1bda3b1..d27a806557b 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -63,3 +63,4 @@ s390-uaccess-add-missing-earlyclobber-annotations-to-__clear_user.patch
 usb-host-ohci-pxa27x-fix-and-vs-typo.patch
 ext4-fix-kernel-bug-in-ext4_write_inline_data_end.patch
 net-sched-cbq-dont-intepret-cls-results-when-asked-to-drop.patch
+ca8210-fix-unsigned-mac_len-comparison-with-zero-in-ca8210_skb_tx.patch