DragonFlyBSD Kernel Audit
DF-0326 / env.txt
← back to finding ↓ download raw
=== uname -a ===
DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64

=== cc version ===
cc 8.3 [DragonFly] Release/2019-02-22

=== ifconfig -l (radio check) ===
vtnet0 lo0

=== kldstat ===
Id Refs Address                Size Name
 1    7 0xffffffff80200000  1ae0408 kernel
 2    1 0xffffffff81ce1000    7c288 ehci.ko
 3    1 0xffffffff81d5e000    8c778 xhci.ko
 4    1 0xffffffff82600000    7f000 if_wg.ko

=== wlan modules present on disk ===
wlan.ko
wlan_acl.ko
wlan_amrr.ko
wlan_ccmp.ko
wlan_rssadapt.ko
wlan_tkip.ko
wlan_wep.ko
wlan_xauth.ko

=== vulnerable symbols in /boot/kernel/kernel ===
ffffffff8078c4c0 T ieee80211_add_scan
ffffffff8077dc50 T ieee80211_init_neighbor
ffffffff8076ce50 T ieee80211_parse_beacon
ffffffff8077d1f0 T ieee80211_sta_join
ffffffff8077c570 t ieee80211_sta_join1

=== sizeof pointer check ===
ptr=
=== beacon.bin size ===
printf: illegal format character z
-rw-r--r--  1 maxx  maxx  239 Jul  1 16:09 beacon.bin

=== beacon SSID IE length byte (offset 0x25) ===
00000024  00 c0                                             |..|
00000026

=== LP64 pointer size (proven by node_overflow: sizeof(void*)=8 in the struct replica) ===
x86_64, ni_chan field measured size=8 -> 64-bit kernel ABI

================================================================================
HOST-SIDE SOURCE ANALYSIS (read-only sys/ tree) -- the dead-flag proof
================================================================================
=== IEEE80211_BPARSE_SSID_INVALID across sys/ : only SET + DEFINED, NEVER read ===
sys/netproto/802_11/wlan/ieee80211_input.c:680	    scan->status |= IEEE80211_BPARSE_SSID_INVALID);   <- SET (cosmetic verify)
sys/netproto/802_11/ieee80211_scan.h:209	IEEE80211_BPARSE_SSID_INVALID = 0x08,                  <- DEFINED
(no consumer reads it -> the oversized SSID reaches all 3 memcpy sinks unimpeded)

=== contrast: sibling flags OFFCHAN / RATES_INVALID ARE consumed ===
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:296	if ((sp->status & IEEE80211_BPARSE_OFFCHAN) == 0) {
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:319	if (sp->status & IEEE80211_BPARSE_OFFCHAN) {
sys/netproto/802_11/wlan/ieee80211_hostap.c:1707		if (ieee80211_parse_beacon(...) &~ IEEE80211_BPARSE_OFFCHAN)
sys/netproto/802_11/wlan/ieee80211_hostap.c:1768		if (scan.status & IEEE80211_BPARSE_OFFCHAN) {

=== rate set IS KASSERT-guarded; SSID is NOT (the asymmetry) ===
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:285	KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, ...)
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:290	KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, ...)

=== GENERIC config builds wlan into the base kernel ===
sys/config/X86_64_GENERIC:258	device		wlan		# 802.11 support