DragonFlyBSD Kernel Audit
← dashboard
DF-0324

HT cap/info IE parsers perform no own length validation (caller-trust fragile)

Summary

ieee80211_parse_htcap(:1418)/htinfo_parse(:1438)/setup_basic_htrates(:1691) dereference fixed offsets in IE with no length check. Safe today: callers VERIFY_LENGTH. Future caller forgetting -> remote OOB read. Implicit undocumented contract.