DragonFlyBSD Kernel Audit
← dashboard
DF-0111

CT_CHAR (%c) non-suppress bcopy reads width bytes without checking inr -> OOB read

Summary

kvsscanf CT_CHAR non-suppress branch (:308) does bcopy(inp,va_arg(ap,char*),width) without checking width<=inr. SUPPRESS branch (:292) correctly clamps to min(inr,width). If width>inr (e.g. %5c on 3-char input), reads past NUL terminator into adjacent kernel memory. No in-tree caller uses %>1c on untrusted input today -- latent bug.