DragonFlyBSD Kernel Audit
← dashboard
DF-0483

No validation of attacker-supplied STP timer values from winning root bridge BPDU

Summary

bstp_record_config_timeout_values(:393-401): blindly copies cu_max_age/cu_hello_time/cu_forward_delay from received Config BPDU into sc values with no range validation. uint16 from ntohs of attacker BPDU(:926-928). IEEE 802.1D-2004 mandates max_age 6-40s hello 1-10s forward_delay 4-30s. Setting to 0 causes immediate timer expiry -> instant BPDU age-out or skip LISTENING/LEARNING -> rapid destabilizing topology changes. Inherent to STP trust model but lack of clamping amplifies DoS. Fix: clamp to IEEE ranges.