DragonFlyBSD Kernel Audit
← dashboard
DF-0350

Unbounded mesh route-table growth + attacker-controlled lifetime: remote memory exhaustion DoS

Summary

Every PREQ/PREP/RANN with new orig/target addr calls ieee80211_mesh_rt_add -> kmalloc + TAILQ_INSERT NO upper bound. Lifetime from attacker-controlled preq_lifetime uint32 via mesh_rt_update(:1097). Remote: flood PREQs with distinct spoofed originator MACs + maximal lifetime -> unbounded kernel memory growth -> exhaustion/panic.