DragonFlyBSD Kernel Audit
← dashboard
DF-0348

Missing m_pullup for management frames: no guarantee frame header contiguous

Summary

hostap_input TYPE_DATA gets m_pullup(:596-603). TYPE_MGT does NOT — only checks m_pkthdr.len not m_len. Chained mbuf with first seg <24 bytes -> wh=mtod reads past first mbuf. hostap_recv_mgmt efrm=mtod+m_len covers first mbuf only -> IEs in later mbufs missed. Defense-in-depth: most drivers coalesce RX frames.