DragonFlyBSD Kernel Audit
← dashboard
DF-0352

RANN frame overwrites shared global ieee80211_hwmp_rannint without lock: remote timer DoS

Summary

hwmp_recv_rann(:1971) ieee80211_hwmp_rannint=rann->rann_interval from received frame, no lock (XXX: mtx lock? comment). Shared across all vaps, drives callout period(:841). Remote: RANN with rann_interval=0 -> callout tight loop CPU saturation. Data race vs sysctl handler.