Commit c854758a authored Feb 17, 2026 by Johannes Berg

wifi: radiotap: reject radiotap with unknown bits



The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.

Cc: stable@vger.kernel.org
Fixes: 33e5a2f7 ("wireless: update radiotap parser")
Reported-by:  <syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 767d23ad

net/wireless/radiotap.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
		default:
		if (!iterator->current_namespace \|\|
		iterator->_arg_index >= iterator->current_namespace->n_bits) {
		if (iterator->current_namespace == &radiotap_ns)
		return -ENOENT;
		align = 0;
		} else {
		align = iterator->current_namespace->align_size[iterator->_arg_index].align;
		size = iterator->current_namespace->align_size[iterator->_arg_index].size;
		}
		if (!align) {
		if (iterator->current_namespace == &radiotap_ns)
		return -ENOENT;
		/* skip all subsequent data */
		iterator->_arg = iterator->_next_ns_data;
		/* give up on this namespace */