freebsd security - Apr 2021 - Missing size checks in ieee80211_ioctl_get80211() could lead to stack overflows

ieee80211_ioctl_get80211() doesn't check the length provided by the user,
and this can lead to out-of-bounds read and write in the stack, which can lead
to a denial of service.
this issue is present in the latest FreeBSD sources.
ireq->i_len is a user provided length (it's a uint16_t so can be 65536 at
max).
for IEEE80211_IOC_SSID command, in the IEEE80211_S_SCAN or default case an
out-of-bounds copy to tmpssid (32 bytes stack buffer) can happen if
vap->id_des_ssid[0].len is set to a large value, also an out-of-bounds read
from tmpssid will happen due to a copyout() using the same size.
the same thing can happen with IEEE80211_IOC_WEPKEY (just with another user
controlled size).