git.ipfire.org Git - thirdparty/linux.git/commit

author	Deepanshu Kartikey <kartikey406@gmail.com>
	Sun, 31 May 2026 01:17:21 +0000 (06:47 +0530)
committer	Johannes Berg <johannes.berg@intel.com>
	Tue, 2 Jun 2026 11:26:33 +0000 (13:26 +0200)
commit	6c0cf89f36ac0c0fd8687a4ccdce2efb23a9c663
tree	0ad35eeac1fc0af920602dcd15380d8e4124fa7b	tree \| snapshot
parent	4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1	commit \| diff

wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap

When parsing the radiotap header of an injected frame,
ieee80211_parse_tx_radiotap() uses the IEEE80211_RADIOTAP_ANTENNA value
directly as a shift count:

info->control.antennas |= BIT(*iterator.this_arg);

*iterator.this_arg is an 8-bit value taken straight from the frame
supplied by userspace, so BIT() can be asked to shift by up to 255. That
is undefined behaviour on the unsigned long and is reported by UBSAN:

  UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2174:30
  shift exponent 235 is too large for 64-bit type 'unsigned long'
  Call Trace:
   ieee80211_parse_tx_radiotap+0xadb/0x1950 net/mac80211/tx.c:2174
   ieee80211_monitor_start_xmit+0xb1f/0x1250 net/mac80211/tx.c:2451
   ...
   packet_sendmsg+0x3eb6/0x50f0 net/packet/af_packet.c:3109

info->control.antennas is a 2-bit bitmap (u8 antennas:2), so only antenna
indices 0 and 1 can ever be represented. Ignore any larger value instead
of shifting out of bounds.

Reported-by: syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8e0622f6d9446420271f
Fixes: ef246a1480cc ("wifi: mac80211: support antenna control in injection")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20260531011721.102941-1-kartikey406@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>