DragonFlyBSD Kernel Audit
← dashboard
DF-0121

Signed/unsigned confusion defeats length clamp in KENV_GET

Summary

KENV_GET: size_t len vs int uap->len comparison(:142). Negative uap->len promotes to SIZE_MAX, clamp skipped, copyout writes strlen(value)+1 bytes (max 129). Caller can only overwrite own buffer. API correctness issue.