DragonFlyBSD Kernel Audit
← dashboard
DF-0260

tcpopts_match/ipopts_match read options beyond m_pullup-guaranteed contiguous region

Summary

ipfw_setup_local(:3323) only m_pullup hlen+sizeof(tcphdr). tcpopts_match(:1296-1301) walks th_off options from offset hlen+20 without additional pullup. Reads up to 40 bytes past contiguous region. Non-TCP/UDP/ICMP: no pullup at all(:3342-3344). Remote: attacker sends packet with large th_off. Reads stale mbuf data -> misclassification. OOB under non-standard mbuf layouts.