DragonFlyBSD Kernel Audit
← dashboard
DF-0289

UAF/TOCTOU: mesh route pointers returned unreferenced, forward_to_gates drops lock mid-traversal

Summary

ieee80211_mesh_rt_find(:230-241) returns rt after MESH_RT_UNLOCK no refcount. Callers deref rt->rt_flags/rt_nexthop unlocked. ms_cleantimer callout can free route concurrently. forward_to_gates(:1146) MESH_RT_UNLOCK then re-LOCK inside TAILQ_FOREACH_SAFE — next cursor can be freed. UAF of mesh route/gate struct.