DragonFlyBSD Kernel Audit
← dashboard
DF-0209

clist_nextc trusts caller cp without validating within live ring window

Summary

clist_nextc(:248) computes offset from raw pointer arithmetic cp-c_data, derefs *cp(:265). No bounds check. If clist mutated between calls -> stale/UAF iterator. Current callers dont mutate iterated queue. Latent.