DF-0326 / env.txt
=== uname -a ===
DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64
=== cc version ===
cc 8.3 [DragonFly] Release/2019-02-22
=== ifconfig -l (radio check) ===
vtnet0 lo0
=== kldstat ===
Id Refs Address Size Name
1 7 0xffffffff80200000 1ae0408 kernel
2 1 0xffffffff81ce1000 7c288 ehci.ko
3 1 0xffffffff81d5e000 8c778 xhci.ko
4 1 0xffffffff82600000 7f000 if_wg.ko
=== wlan modules present on disk ===
wlan.ko
wlan_acl.ko
wlan_amrr.ko
wlan_ccmp.ko
wlan_rssadapt.ko
wlan_tkip.ko
wlan_wep.ko
wlan_xauth.ko
=== vulnerable symbols in /boot/kernel/kernel ===
ffffffff8078c4c0 T ieee80211_add_scan
ffffffff8077dc50 T ieee80211_init_neighbor
ffffffff8076ce50 T ieee80211_parse_beacon
ffffffff8077d1f0 T ieee80211_sta_join
ffffffff8077c570 t ieee80211_sta_join1
=== sizeof pointer check ===
ptr=
=== beacon.bin size ===
printf: illegal format character z
-rw-r--r-- 1 maxx maxx 239 Jul 1 16:09 beacon.bin
=== beacon SSID IE length byte (offset 0x25) ===
00000024 00 c0 |..|
00000026
=== LP64 pointer size (proven by node_overflow: sizeof(void*)=8 in the struct replica) ===
x86_64, ni_chan field measured size=8 -> 64-bit kernel ABI
================================================================================
HOST-SIDE SOURCE ANALYSIS (read-only sys/ tree) -- the dead-flag proof
================================================================================
=== IEEE80211_BPARSE_SSID_INVALID across sys/ : only SET + DEFINED, NEVER read ===
sys/netproto/802_11/wlan/ieee80211_input.c:680 scan->status |= IEEE80211_BPARSE_SSID_INVALID); <- SET (cosmetic verify)
sys/netproto/802_11/ieee80211_scan.h:209 IEEE80211_BPARSE_SSID_INVALID = 0x08, <- DEFINED
(no consumer reads it -> the oversized SSID reaches all 3 memcpy sinks unimpeded)
=== contrast: sibling flags OFFCHAN / RATES_INVALID ARE consumed ===
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:296 if ((sp->status & IEEE80211_BPARSE_OFFCHAN) == 0) {
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:319 if (sp->status & IEEE80211_BPARSE_OFFCHAN) {
sys/netproto/802_11/wlan/ieee80211_hostap.c:1707 if (ieee80211_parse_beacon(...) &~ IEEE80211_BPARSE_OFFCHAN)
sys/netproto/802_11/wlan/ieee80211_hostap.c:1768 if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
=== rate set IS KASSERT-guarded; SSID is NOT (the asymmetry) ===
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:285 KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, ...)
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:290 KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, ...)
=== GENERIC config builds wlan into the base kernel ===
sys/config/X86_64_GENERIC:258 device wlan # 802.11 support