DragonFlyBSD Kernel Audit
← dashboard
DF-0150

Unbounded strlen/strcmp on TLV string fields ignores declared length

Summary

preload_search_by_name(:69-75) obtains scanname=curp+8 then strlen/strcmp without checking hdr[1]. Non-NUL-terminated value -> scan past field into adjacent metadata. Boot-time only, requires malformed metadata.