DragonFlyBSD Kernel Audit
← dashboard
DF-0275

Heap buffer overflow in WPA/RSN IE construction: variable-length IE written into fixed sizeof(ieee80211_ie_wpa)=100 slot

Summary

add_ie(:1976) memcpy(frm,ie,2+ie[1]) trusts ie length unconditionally. Frame allocators reserve fixed sizeof(ieee80211_ie_wpa)=100 bytes. ioctl permits ie[1] up to 1022 (IEEE80211_MAX_APPIE). IE>98 bytes -> heap overflow in mbuf data area. Remote trigger: AP sends probe response for every probe request -> add_rsn/add_wpa overflow. WiFi-management capability to set IE first.