On Fri, Jun 18, 2021 at 11:36:16AM +0200, Johannes Berg wrote:

On Thu, 2021-06-10 at 21:49 +0530, Anirudh Rayabharam wrote:

quoted

syzbot, using KMSAN, has reported an uninit-value access in
hwsim_cloned_frame_received_nl(). This is happening because frame_data_len
is 0. The code doesn't detect this case and blindly tries to read the
frame's header.

Fix this by bailing out in case frame_data_len is 0.

This really seems quite pointless - you should bail out if the frame is
too short for what we need to do, not just when it's 0.

That makes sense. Do you happen to know what the min length of a valid
frame is? There doesn't seem to be constant defined for that already.

	- Anirudh

johannes