DragonFlyBSD Kernel Audit
← dashboard
DF-0582

ieee80211_parse_beacon FHPARMS/DSPARMS field reads exceed declared IE length: OOB read

Summary

parse_beacon IE loop only bounds guard VERIFY_LENGTH(efrm-frm,frm[1]+2)(:553) guarantees frm[1]+2 bytes total but NOT frm[1]>=per-IE-minimum. FHPARMS reads le16dec(frm[2]) frm[4] frm[5] frm[6](:573-575) without checking frm[1]>=5. DSPARMS reads frm[2](:584) without checking frm[1]>=1. Crafted beacon with short FHPARMS(frm[1]<5) or DSPARMS(frm[1]==0) as trailing IE -> reads frm[2..6] past efrm past m_len stale cluster bytes. ERP handler(:602) correctly checks frm[1]!=1 but FH/DS do not. Limited by FH phytype rarity + small read window. Fix: validate frm[1]>=5(FH)/>=1(DS) before field access.