git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Tue, 17 Feb 2026 12:05:26 +0000 (13:05 +0100)
committer	Johannes Berg <johannes.berg@intel.com>
	Mon, 23 Feb 2026 08:23:44 +0000 (09:23 +0100)
commit	c854758abe0b8d86f9c43dc060ff56a0ee5b31e0
tree	c5b2fd4f3d994b737573ef47c47e74a872a8a01f	tree \| snapshot
parent	767d23ade706d5fa51c36168e92a9c5533c351a1	commit \| diff

wifi: radiotap: reject radiotap with unknown bits

The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.

Cc: stable@vger.kernel.org
Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>