DragonFlyBSD Kernel Audit
← dashboard
DF-0082

Latent heap overflow in sbuf_extend via int truncation of caller length (zero callers, unreachable today)

Summary

sbuf_extend (subr_sbuf.c:151) takes int addlen, computes newsize=sbuf_extendsize(s_size+addlen) (:158) then memcpy(newbuf,s_buf,s_size) (:162) WITHOUT verifying newsize>=s_size. sbuf_extendsize (:131) returns 16 for arg<=16 INCLUDING negative. sbuf_bcopyin (:424) calls sbuf_extend(s,len-SBUF_FREESPACE(s)) where len is size_t; len>=2^31+freespace -> size_t diff bit31 set truncates to negative int addlen -> s_size+addlen negative -> sbuf_extendsize returns 16 -> if s_size>16 memcpy writes s_size bytes into 16-byte buffer = heap overflow. ALSO sbuf_uionew (:246) uio_resid+1 overflow. UNREACHABLE: sbuf_bcopyin/sbuf_copyin/sbuf_uionew have ZERO callers in sys/ (ripgrep). All live consumers append via sbuf_put_byte addlen==1. Latent API foot-gun for future module callers.