DragonFlyBSD Kernel Audit
← dashboard
DF-0365

ieee80211_media_setup unbounded rate-set merge overflows stack buffer rs_rates[15]: 17 unique rates across 11a/b/g/HALF/QUARTER

Summary

ieee80211_media_setup(:1564-1603) declares struct ieee80211_rateset allrates on stack (rs_rates[IEEE80211_RATE_MAXSIZE=15]). Loop(:1565-1594) collects unique rate values across all supported phy modes with NO check rs_nrates<15 before writing rs_rates[j](:1587) and incrementing(:1588). Union of default ratesets for 11a(8)+11b(4)+11g(12)+HALF(8)+QUARTER(8) = 17 distinct {2,3,4,6,9,11,12,18,22,24,27,36,48,54,72,96,108} > 15 slots. Writes rs_rates[15] and [16] past array -> stack corruption. Follow-on read loop(:1595-1603) OOB-reads same slots. Triggered at vap attach for a/b/g NICs with half/quarter support (e.g. Atheros ath). Requires PRIV_DRIVER (root). Stack canary -> deterministic panic.