DF-0054
Truncated prison-id sysctl node name in prison_sysctl_create (off-by-one in ksnprintf size)
| Field | Value |
|---|---|
| ID | DF-0054 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| CWE | CWE-193 Off-by-one Error |
| File | sys/kern/kern_jail.c |
| Lines | 993-994 |
| Area | kern |
| Confidence | certain |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
prison_sysctl_create() declares char id_str[7] (correctly sized: JAIL_MAX
= 999999 โ up to 6 digits + NUL) but calls ksnprintf(id_str, 6, "%d",
pr->pr_id) โ the size should be sizeof(id_str) (7), not 6. With size=6,
ksnprintf writes at most 5 chars + NUL, truncating every 6-digit pr_id
(100000โ999998, half of the legal range) to its leading 5 digits. The resulting
per-prison sysctl node name (_jail.<id>) collides: ids 100000โ100009 all map
to "10000", etc., so jail-management tools addressing a prison via
sysctl kern.jail.<id>.* silently target the wrong prison (or fail on the
duplicate name).
Root cause
char id_str[7];
ksnprintf(id_str, 6, "%d", pr->pr_id); /* size=6 should be sizeof(id_str)=7 */
Recommended fix
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -993
- ksnprintf(id_str, 6, "%d", pr->pr_id);
+ ksnprintf(id_str, sizeof(id_str), "%d", pr->pr_id);
References
sys/kern/kern_jail.c:993-994โ the off-by-one size.- CWE-193 Off-by-one Error.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/kern_jail.c. - pending Reported to DragonFlyBSD security contact.