DragonFlyBSD Kernel Audit
← dashboard
DF-0132

Unvalidated sensor type as array index: OOB write in sensor_attach/detach

Summary

sensor_attach(:143-144)/detach(:192-193) index sensdev->maxnumt[sens->type] without bounding to [0,SENSOR_MAX_TYPES). sensor_sysctl_install(:417) indexes sensor_type_s[sens->type]. OOB type corrupts adjacent ksensordev heap fields (maxnumt write) or faults on garbage pointer (type_s read). Not userspace-reachable (in-tree drivers use valid enum). Defense-in-depth for out-of-tree/buggy modules.