DragonFlyBSD Kernel Audit
← dashboard
DF-0295

UAF race in setappie: non-atomic pointer swap/free vs concurrent beacon/IE readers

Summary

setappie(:2312-2314) swaps *aie=napp then IEEE80211_FREE(old) with only IEEE80211_LOCK. Code comments admit XXX racey/bad bad bad. Beacon/probe TX paths read iv_appie_* without ref. Concurrent setappie can free structure out from under TX -> UAF. Privileged.