DragonFlyBSD Kernel Audit
← dashboard
DF-0282

Signed tx_cred overflow and OOB credit byte read in UIH reception

Summary

tx_cred int16_t(:296) incremented by attacker byte with NO upper bound. ~130 credit-grant UIH frames overflow int16_t. Also: zero-length UIH with PF set reads *mtod stale mbuf byte as credit(:2416) without payload-length check.