From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dan Robertson <dan@dlrobertson.com>,
Alexander Aring <aahringo@redhat.com>,
Stefan Schmidt <stefan@datenfreihafen.org>,
Sasha Levin <sashal@kernel.org>,
linux-wpan@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr
Date: Mon, 7 Jun 2021 12:14:59 -0400 [thread overview]
Message-ID: <20210607161517.3584577-1-sashal@kernel.org> (raw)
From: Dan Robertson <dan@dlrobertson.com>
[ Upstream commit 9fdd04918a452980631ecc499317881c1d120b70 ]
Fix a logic error that could result in a null deref if the user sets
the mode incorrectly for the given addr type.
Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://lore.kernel.org/r/20210423040214.15438-2-dan@dlrobertson.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/nl802154.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
index b1c55db73764..6d4c71a52b6b 100644
--- a/net/ieee802154/nl802154.c
+++ b/net/ieee802154/nl802154.c
@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla,
nl802154_dev_addr_policy, NULL))
return -EINVAL;
- if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] ||
- !attrs[NL802154_DEV_ADDR_ATTR_MODE] ||
- !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] ||
- attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]))
+ if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || !attrs[NL802154_DEV_ADDR_ATTR_MODE])
return -EINVAL;
addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]);
addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]);
switch (addr->mode) {
case NL802154_DEV_ADDR_SHORT:
+ if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT])
+ return -EINVAL;
addr->short_addr = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]);
break;
case NL802154_DEV_ADDR_EXTENDED:
+ if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])
+ return -EINVAL;
addr->extended_addr = nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]);
break;
default:
--
2.30.2
next reply other threads:[~2021-06-07 16:24 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-07 16:14 Sasha Levin [this message]
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-07 16:15 ` [Cluster-devel] " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210607161517.3584577-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aahringo@redhat.com \
--cc=dan@dlrobertson.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.