DragonFlyBSD Kernel Audit
← dashboard
DF-0086

dev_dopen dereferences inner *a_fpp without NULL check (latent panic, no current trigger)

Summary

dev_dopen (kern_device.c:151-152): if(ap.a_fpp) (*ap.a_fpp)->f_data=vp guards outer ptr-to-ptr but derefs inner *a_fpp unconditionally. If caller passes non-NULL a_fpp whose pointed-to struct file* is NULL -> NULL deref panic. No in-tree trigger: vn.c passes a_fpp=NULL (:586/:660), devfs open forwards from vn_open which already allocated struct file. Latent hardening gap for future callers. Fix: add && *a_fpp!=NULL.