DragonFlyBSD Kernel Audit
← dashboard
DF-0346

Uninitialized stack read of rsnparms on WPS/TSN assoc path bypasses HT-cipher downgrade protection

Summary

hostap_recv_mgmt ASSOC_REQ(:1934) rsnparms uninitialized stack var. wpa_assocreq returns 1 early for WPS/TSN without calling parse_wpa/rsn (no memset). HT-cipher check(:2103-2106) reads rsnparms.rsn_ucastcipher under F_WPA condition. Garbage==AES_CCM(3) -> HT not disabled for WPS/TSN station with weak cipher. Remote unauth: assoc req no WPA IE + FEXT_WPS/TSN + HT cap. Non-deterministic.