DragonFlyBSD Kernel Audit
← dashboard
DF-0395

sta_lookup returns entry with table lock released: callers dereference unlocked TOCTOU use-after-free window

Summary

sta_lookup(:1283-1296) acquires table lock, finds entry, releases lock, returns raw se pointer (comment "NB: unlocked"). Callers sta_roam_check(:1349-1352 writes se_rssi), sta_assoc_fail/success(:1437-1462 inc se fields) use pointer without lock. Concurrent adhoc_age(:1684-1690 frees entries) or sta_flush_table(:224-229) -> UAF. Multi-core timing-dependent.