DragonFlyBSD Kernel Audit
← dashboard
DF-0261

act_ofs copied from user input without validation against cmd_len -> heap OOB read

Summary

ipfw_check_ioc_rule(:5311) never validates act_ofs<=cmd_len. rule->act_ofs raw copy from user(:4515). ACTION_PTR(f)=cmd+act_ofs(ip_fw2.h:442). check-state(:4207) derefs cmd->opcode at OOB offset -> panic on unknown opcode(:4367). Root-only: IP_FW_ADD with act_ofs>cmd_len + check-state hit.