DragonFlyBSD Kernel Audit
← dashboard
DF-0058

Unbounded sh_link to symstrindex causes heap OOB read (DF-0040 analogue, worse: no check at all)

Summary

link_elf_load_file section scan (link_elf.c:601-620): symstrindex=shdr[i].sh_link (Elf64_Word) set with NO bounds check vs e_shnum (DF-0040 in link_elf_obj.c had off-by-one >; this file has zero check); then shdr[symstrindex].sh_size/sh_offset deref at :612/:620 is OOB if symstrindex>=e_shnum. Root-only defense-in-depth.