Linux Kernel mwifiex NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's mwifiex wireless driver can lead to a NULL pointer dereference. This issue occurs in the 'mwifiex_handle_uap_rx_forward()' function, where the return value of 'skb_copy()' is not properly checked. If the copying fails, the original socket buffer (skb) is not dropped, potentially causing a NULL pointer dereference in 'mwifiex_uap_queue_bridged_pkt()'. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, leading to a crash of the wireless driver and potentially causing a denial of service on the affected system.

Reproduction

To reproduce this vulnerability, send a multicast packet to a device using the mwifiex driver. The driver will attempt to copy the packet using 'skb_copy()'. If the copy operation fails, the original socket buffer is not properly handled, leading to a NULL pointer dereference when the driver tries to process the packet.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.