DF-0285 / fix.diff
diff --git a/sys/netproto/802_11/wlan/ieee80211_mesh.c b/sys/netproto/802_11/wlan/ieee80211_mesh.c --- a/sys/netproto/802_11/wlan/ieee80211_mesh.c +++ b/sys/netproto/802_11/wlan/ieee80211_mesh.c @@ -3456,8 +3456,16 @@ void ieee80211_parse_meshid(struct ieee80211_node *ni, const uint8_t *ie) { - ni->ni_meshidlen = ie[1]; - memcpy(ni->ni_meshid, ie + 2, ie[1]); + uint8_t len = ie[1]; + + /* DF-0285: ie[1] is an attacker-controlled length from a received mesh + * beacon/probe-response IE. ni_meshid is a fixed IEEE80211_MESHID_LEN(32) + * byte array; an unchecked length overflows into ni_mlstate / ni_mllid / + * ni_mlpid / ni_mltimer(.toc pointer) and beyond. Clamp it. */ + if (len > IEEE80211_MESHID_LEN) + len = IEEE80211_MESHID_LEN; + ni->ni_meshidlen = len; + memcpy(ni->ni_meshid, ie + 2, len); } /* |