Re: [PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d

Next message: Heiko Carstens: "Re: [PATCH v2] s390/fpu: Fix false-positive kmsan report in fpu_vstl function"
Previous message: Jan Kara: "Re: [PATCH v3 1/3] fs: speed up path lookup with cheaper handling of MAY_EXEC"
In reply to: Ranganath V N: "[PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d"
Next in thread: Ranganath V N: "Re: [PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Mon Nov 10 2025 - 04:33:15 EST

On Sat, 2025-11-08 at 00:03 +0530, Ranganath V N wrote:
>
> +++ b/net/wireless/util.c
> @@ -963,9 +963,13 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
>
> switch (skb->protocol) {
> case htons(ETH_P_IP):
> + if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> + return 0;
> dscp = ipv4_get_dsfield(ip_hdr(skb)) & 0xfc;
> break;

That doesn't seem correct to me, passing only the IP header length to
pskb_may_pull() call assumes that ip_hdr(skb) == sbk->data, which is
almost certainly not true?

MPLS seems to not have this problem.

And maybe there's a similar issue for the VLAN tag?

johannes