DragonFlyBSD Kernel Audit
← dashboard
DF-0293

OOB heap read in setwparsnie during WPA/RSN app-IE split

Summary

IEEE80211_APPIE_WPA case(:2367-2387) splits blob: data+2+data[1] where data[1] user-controlled. If data[1] large relative to allocation -> pointer past buffer. setwparsnie evaluates ie[1] (OOB byte) before own guard rejects. 1+ byte OOB heap read. Privileged.