Linux Kernel NULL Pointer Dereference Vulnerability in mac80211 Mesh Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's mac80211 module, specifically within the mesh networking functionality. The issue arises in the 'mesh_rx_csa_frame()' function, where the 'mesh_chansw_params_ie' element is accessed without a prior NULL check. This oversight can lead to a kernel crash, as confirmed on Linux kernel 6.17.0-5-generic. The vulnerability exists because the 'mesh_matches_local()' function only verifies certain mesh parameters and does not ensure the presence of the Mesh Channel Switch Parameters IE (element ID 118). As a result, a remote mesh peer with an established link can exploit this by sending a crafted Channel Switch Action frame that omits the necessary IE, causing a NULL pointer dereference and a subsequent kernel crash.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. The error message indicates a NULL pointer dereference in the 'ieee80211_mesh_rx_queued_mgmt' function, which is part of the mac80211 module.

Reproduction

To reproduce this vulnerability, a remote mesh peer must send a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. This can be done using a tool that simulates mesh networking behavior, such as 'mac80211_hwsim', which is available in the Linux kernel.

Remediation

The vulnerability has been fixed by adding a NULL check for the 'mesh_chansw_params_ie' after the 'mesh_matches_local()' validation, ensuring that optional IEs are properly checked before being accessed.