DragonFlyBSD Kernel Audit
← dashboard
DF-0270

OOB read in PAP ACK/NAK debug: wrong bound len+4 should be len-4

Summary

PAP_ACK(:4390) and PAP_NAK(:4426) debug: name_len<len+4 guard should be name_len<len-4. name at offset 5, name_len at offset 4. Off by 8. sppp_print_string walks past valid mbuf data -> stale bytes to syslog. IFF_DEBUG only.