Linux Kernel Radiotap Parser Vulnerability in Unknown Bit Handling

A vulnerability in the Linux kernel's radiotap parser has been addressed. The issue arose because the parser only recognized the radiotap namespace, not vendor namespaces. When undefined field 18 was used, the parser could not determine the correct alignment or size, leaving the iterator's next namespace data uninitialized. This uninitialized value was later used in a comparison, leading to potential errors. The vulnerability has been fixed by changing the order of operations in the parser to properly handle unknown radiotap fields.

Impact

The vulnerability could lead to incorrect data handling in the radiotap parser, potentially causing crashes or undefined behavior in applications that rely on this data.

Reproduction

The vulnerability can be reproduced by using a radiotap parser with an undefined field 18, which will create a mismatch in data alignment and size. This can be done by crafting a radiotap packet that includes this undefined field, causing the parser to skip necessary vendor namespace data and compare against an uninitialized iterator value.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.