DragonFlyBSD Kernel Audit
← dashboard
DF-0280

Integer overflow in ptr_array allocation in pf_setup_pfsync_matching (32-bit only theoretical)

Summary

kmalloc(sizeof(caddr_t)*rcount,...) where rcount u32. On 32-bit size_t wraps -> small alloc -> TAILQ_FOREACH writes ptr_array[rule->nr] past end. amd64 size_t 64-bit no wrap. Latent.