Linux Kernel AP_VLAN NULL Pointer Dereference Vulnerability in mac80211

A NULL pointer dereference vulnerability has been identified in the Linux kernel's mac80211 component, specifically affecting stations on AP_VLAN interfaces, such as 4addr WDS clients. The issue arises in the ieee80211_chan_bw_change() function, which iterates through stations and accesses link data. For AP_VLAN stations, the link data is not properly initialized, leading to a NULL pointer dereference when the function attempts to access channel information during Channel Switch Announcement (CSA) processing. This vulnerability has been addressed by modifying the function to correctly resolve the VLAN station data to its parent AP station data before accessing the link information.

Impact

Exploitation of this vulnerability leads to a crash of the wireless driver, causing a denial of service by disrupting network connectivity.

Reproduction

The vulnerability can be reproduced by configuring a wireless interface to use AP_VLAN with 4addr WDS clients. When the ieee80211_chan_bw_change() function is called, it will attempt to access link data for the WDS clients, resulting in a NULL pointer dereference and a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.