DragonFlyBSD Kernel Audit
DF-0285 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/netproto/802_11/wlan/ieee80211_mesh.c b/sys/netproto/802_11/wlan/ieee80211_mesh.c
--- a/sys/netproto/802_11/wlan/ieee80211_mesh.c
+++ b/sys/netproto/802_11/wlan/ieee80211_mesh.c
@@ -3456,8 +3456,16 @@
 void
 ieee80211_parse_meshid(struct ieee80211_node *ni, const uint8_t *ie)
 {
-	ni->ni_meshidlen = ie[1];
-	memcpy(ni->ni_meshid, ie + 2, ie[1]);
+	uint8_t len = ie[1];
+
+	/* DF-0285: ie[1] is an attacker-controlled length from a received mesh
+	 * beacon/probe-response IE. ni_meshid is a fixed IEEE80211_MESHID_LEN(32)
+	 * byte array; an unchecked length overflows into ni_mlstate / ni_mllid /
+	 * ni_mlpid / ni_mltimer(.toc pointer) and beyond. Clamp it. */
+	if (len > IEEE80211_MESHID_LEN)
+		len = IEEE80211_MESHID_LEN;
+	ni->ni_meshidlen = len;
+	memcpy(ni->ni_meshid, ie + 2, len);
 }
 
 /*