[PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d

[PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d

[Ranganath V N]

Fix an issue detected by  syzbot with KMSAN
BUG: KMSAN: uninit-value in cfg80211_classify8021d+0x99d/0x12b0
net/wireless/util.c:1027

The function accessed DSCP fields from IP and IPv6 headers without first
verifying that sufficient header data was present in the skb. When a
packet reaches this path, the header dereference could access
uninitialized memory, as reported by KMSAN under fuzzing with syzkaller.

Add explicit pskb_may_pull() checks for both IPv4 and IPv6 headers to
ensure that the required header data is available before extracting the
DSCP field. This prevents uninitialized memory reads while preserving
existing behavior for valid packets

This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link.Fixes the uninitialized
header access.

Reported-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com./bug?extid=878ddc3962f792e9af59
Tested-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com
Fixes: b156579b1404 ("wireless: Treat IPv6 diffserv the same as IPv4 for 802.11e")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
validate header before DSCP read in cfg80211_classify8021d().
pskb_may_pull() checks before accessing header structures to ensure
safe and fully initialized data access.
---
Changes in v2:
- Corrected the commit subject and Fixes tag.
- Link to v1: https://lore.kernel.org/r/20251103-fifth-v1-1-4a221737ddfe@gmail.com
---
 net/wireless/util.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 56724b33af04..23bca5e687c1 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -963,9 +963,13 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
 
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
+		if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+			return 0;
 		dscp = ipv4_get_dsfield(ip_hdr(skb)) & 0xfc;
 		break;
 	case htons(ETH_P_IPV6):
+		if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
+			return 0;
 		dscp = ipv6_get_dsfield(ipv6_hdr(skb)) & 0xfc;
 		break;
 	case htons(ETH_P_MPLS_UC):

---
base-commit: ba36dd5ee6fd4643ebbf6ee6eefcecf0b07e35c7
change-id: 20251101-fifth-84c599edf594

Best regards,
-- 
Ranganath V N <vnranganath.20@gmail.com>

Re: [PATCH v2] wifi: cfg80211: Fix uninitialized header access in cfg80211_classify8021d

[Johannes Berg]

On Sat, 2025-11-08 at 00:03 +0530, Ranganath V N wrote:
> 
> +++ b/net/wireless/util.c
> @@ -963,9 +963,13 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
>  
>  	switch (skb->protocol) {
>  	case htons(ETH_P_IP):
> +		if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> +			return 0;
>  		dscp = ipv4_get_dsfield(ip_hdr(skb)) & 0xfc;
>  		break;

That doesn't seem correct to me, passing only the IP header length to
pskb_may_pull() call assumes that ip_hdr(skb) == sbk->data, which is
almost certainly not true?

MPLS seems to not have this problem.

And maybe there's a similar issue for the VLAN tag?

johannes