=== uname -a === DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64 === cc version === cc 8.3 [DragonFly] Release/2019-02-22 === ifconfig -l (radio check) === vtnet0 lo0 === kldstat === Id Refs Address Size Name 1 7 0xffffffff80200000 1ae0408 kernel 2 1 0xffffffff81ce1000 7c288 ehci.ko 3 1 0xffffffff81d5e000 8c778 xhci.ko 4 1 0xffffffff82600000 7f000 if_wg.ko === wlan modules present on disk === wlan.ko wlan_acl.ko wlan_amrr.ko wlan_ccmp.ko wlan_rssadapt.ko wlan_tkip.ko wlan_wep.ko wlan_xauth.ko === vulnerable symbols in /boot/kernel/kernel === ffffffff8078c4c0 T ieee80211_add_scan ffffffff8077dc50 T ieee80211_init_neighbor ffffffff8076ce50 T ieee80211_parse_beacon ffffffff8077d1f0 T ieee80211_sta_join ffffffff8077c570 t ieee80211_sta_join1 === sizeof pointer check === ptr= === beacon.bin size === printf: illegal format character z -rw-r--r-- 1 maxx maxx 239 Jul 1 16:09 beacon.bin === beacon SSID IE length byte (offset 0x25) === 00000024 00 c0 |..| 00000026 === LP64 pointer size (proven by node_overflow: sizeof(void*)=8 in the struct replica) === x86_64, ni_chan field measured size=8 -> 64-bit kernel ABI ================================================================================ HOST-SIDE SOURCE ANALYSIS (read-only sys/ tree) -- the dead-flag proof ================================================================================ === IEEE80211_BPARSE_SSID_INVALID across sys/ : only SET + DEFINED, NEVER read === sys/netproto/802_11/wlan/ieee80211_input.c:680 scan->status |= IEEE80211_BPARSE_SSID_INVALID); <- SET (cosmetic verify) sys/netproto/802_11/ieee80211_scan.h:209 IEEE80211_BPARSE_SSID_INVALID = 0x08, <- DEFINED (no consumer reads it -> the oversized SSID reaches all 3 memcpy sinks unimpeded) === contrast: sibling flags OFFCHAN / RATES_INVALID ARE consumed === sys/netproto/802_11/wlan/ieee80211_scan_sta.c:296 if ((sp->status & IEEE80211_BPARSE_OFFCHAN) == 0) { sys/netproto/802_11/wlan/ieee80211_scan_sta.c:319 if (sp->status & IEEE80211_BPARSE_OFFCHAN) { sys/netproto/802_11/wlan/ieee80211_hostap.c:1707 if (ieee80211_parse_beacon(...) &~ IEEE80211_BPARSE_OFFCHAN) sys/netproto/802_11/wlan/ieee80211_hostap.c:1768 if (scan.status & IEEE80211_BPARSE_OFFCHAN) { === rate set IS KASSERT-guarded; SSID is NOT (the asymmetry) === sys/netproto/802_11/wlan/ieee80211_scan_sta.c:285 KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, ...) sys/netproto/802_11/wlan/ieee80211_scan_sta.c:290 KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, ...) === GENERIC config builds wlan into the base kernel === sys/config/X86_64_GENERIC:258 device wlan # 802.11 support