DragonFlyBSD Kernel Audit
← dashboard
DF-0322

No validation of tid/baw before indexing ni_rx_ampdu[tid] and setting rxa_wnd

Summary

ieee80211_ampdu_rx_start_ext(:566) comment XXX TODO: sanity check tid,seq,baw. tid indexes ni_rx_ampdu[tid] no [0,16) bound. baw is int: negative baw -> min(neg,64)=neg -> uint16 conversion -> huge rxa_wnd -> all off<rxa_wnd checks pass -> rxa_m[off] heap OOB write. Driver-gated.