DragonFlyBSD Kernel Audit
← dashboard
DF-0581

ieee80211_setup_rates trusts attacker-controlled IE length byte: latent heap overflow of rs_rates[15]

Summary

ieee80211_setup_rates(:420-421): rs->rs_nrates=rates[1]; memcpy(rs->rs_rates,rates+2,rs->rs_nrates). rates[1] is 8-bit attacker-controlled TLV length 0-255. struct ieee80211_rateset.rs_rates is IEEE80211_RATE_MAXSIZE=15 bytes(_ieee80211.h:375-380). RATES IE length>15 -> up to 240 bytes past rs_rates overflow adjacent ieee80211_node fields. xrates handling(:427-436) IS bounded(clamps to MAXSIZE). Currently mitigated by callers(IEEE80211_VERIFY_ELEMENT + parse_beacon!=0 check) but function has NO self-validation. Any future caller regression -> heap overflow of live node corrupting function pointers/locks/creds. Fix: rs->rs_nrates=min(rates[1],IEEE80211_RATE_MAXSIZE).