DragonFlyBSD Kernel Audit
← dashboard
DF-0435

bpf_movein IEEE80211_RADIO path: ibp_len from user packet drives link-header copy without proper mbuf bounds check

Summary

bpf_movein DLT_IEEE80211_RADIO(:264-274): hlen=p->ibp_len from user packet, only bounded vs sizeof(sa_data)(:266) not vs m->m_len. bcopy(m_data,sa_data,hlen)(:271) + m_data+=hlen/m_len-=hlen(:272-274). If sizeof(ieee80211_bpf_params) < sizeof(sa_data) in future -> ibp_len in gap causes OOB read past supplied data + m_len underflow. Currently safe by accident (sizeof struct >= sizeof sa_data). Fragile, defense-in-depth.