DF-0580
ieee80211_defrag UAF/dangling-pointer: DragonFly m_cat frees fragment but code reads wh + m_pkthdr.len after
Summary
ieee80211_defrag(:248-261): captures wh=mtod(m,ieee80211_frame*)(:182). On subsequent fragment: m_adj(m,hdrspace); m_cat(mfrag,m)(:250-251). DragonFly m_cat(uipc_mbuf.c:1841) when fragment data fits trailing space of mfrag last mbuf: bcopy+m_free(n)(:1854) FREES fragment mbufs. After return code derefs: mfrag->m_pkthdr.len+=m->m_pkthdr.len(:253 UAF read freed mbuf pkthdr.len); *(uint16_t*)lwh->i_seq=*(uint16_t*)wh->i_seq(:260 UAF read from wh into freed fragment then WRITE stale seq into reassembled header). DragonFly-specific diverges from FreeBSD m_catpkt(pure append). Remote unauth station sends small 2nd fragment unicast. UAF read corrupts pkthdr.len -> downstream OOB. Fix: save seq+len before m_cat only touch mfrag after.