DragonFlyBSD Kernel Audit
← dashboard
DF-0297

1-byte heap OOB read in ng_name_node name-length validation

Summary

ng_name_node(:817-821) loop scans name[0..NG_NODESIZ-1]. If no terminator found, exits i==NG_NODESIZ. Subsequent name[i]!=NUL reads name[32] = 1 byte past 32-byte struct ngm_name.name field = 1 byte past kmallocd message buffer. Root-only.