DragonFlyBSD Kernel Audit
← dashboard
DF-0286

Missing length validation in mesh action frame handler: OOB read of stale data

Summary

mesh_recv_action_meshlmetric(:2548) casts frm+2 to meshlmetric_ie without checking efrm-frm>=2+sizeof(ie)(8). parse_action only guarantees 2 bytes. Truncated action -> reads up to 6 bytes past valid frame body. Gateway to DF-0287 div-by-zero.