DragonFlyBSD Kernel Audit
← dashboard
DF-0274

SIOCADDMULTI trusts user sa_len for heap alloc and bcopy without bounds check

Summary

SIOCADDMULTI(:2327) if_addmulti passes &ifr_addr to if_addmulti_serialized. sa_len not validated. if_addmulti_serialized(:2703-2704) kmalloc(sa->sa_len)+bcopy(sa,dupsa,sa->sa_len). sa_len up to 255 but ifr_addr starts at offset 16 in 32-byte ifreq -> reads up to 239 bytes past valid storage. Heap info leak via routing socket.