DragonFlyBSD Kernel Audit
← dashboard
DF-0119

Latent OOB write if aux_data/aux_size invariant breaks

Summary

DMSG_DBG_SHELL reply handler: guard is if(msg->aux_data) but write msg->aux_data[msg->aux_size-1]=0(:208) assumes aux_size>0. If aux_size==0 with non-NULL aux_data, underflow to SIZE_MAX -> OOB write. Currently mitigated by kern_dmsg.c receive path always allocating aux_data with aux_size>0. Fragile defense.