DragonFlyBSD Kernel Audit
← dashboard
DF-0363

ieee80211_dump_pkt reads WEP/QoS/4-addr fields without bounds-checking against frame length: OOB read when debug enabled

Summary

ieee80211_dump_pkt(:591-606) accepts len param but never validates buffer accesses against it. DSTODS case(:574) derefs &wh[1] for 4th addr without verifying len>=sizeof(ieee80211_frame_addr4). QoS block(:591-596) casts buf to qosframe and reads i_qos[0] without len check. WEP block(:597-607) reads buf[off+0..6] (up to 7 bytes past header) with no check that len>=off+7. Short crafted frame with Protected/QoS/4-addr bits set -> OOB kernel memory read, forwarded to kprintf/console (minor info leak) or panic if crosses page. Gated behind IEEE80211_MSG_DEBUG/wlandebug so not normally invoked.