DragonFlyBSD Kernel Audit
← dashboard
DF-0327

ieee80211_ies_expand walks IE blob with no length validation: OOB read

Summary

ieee80211_ies_expand(:982-1024) comment: we dont do any validity checking of ie lengths. Loop ie+=2+ie[1] without checking ie[1] vs remaining ielen. Non-TLV-aligned blob -> OOB read past ies->data. Mitigated: parse_beacon pre-validates. Latent defense-in-depth.