DragonFlyBSD Kernel Audit
← dashboard
DF-0284

Missing per-command payload bounds checks in MCC handlers (OOB read)

Summary

receive_mcc(:2521) checks total length matches but handlers cast hdr+1 to fixed struct without checking length>=sizeof. MSC/RLS/RPN/PN handlers read stale mbuf bytes past declared payload when length<struct size. Reads stay in mbuf buffer no crash but stale data influences protocol logic.