DragonFlyBSD Kernel Audit
← dashboard
DF-0354

nd6_sysctl_prlist stack buffer over-read leaks kernel memory when router count exceeds buffer capacity

Summary

nd6_sysctl_prlist(:2238-2262): inner loop counts advrtrs for entries NOT fitting 1024-byte buf(:2241 continue). advance=sizeof(p)+sizeof(sin6)*advrtrs(:2261) uses TOTAL count. SYSCTL_OUT(:2262) copies advance bytes from buf[1024] -> over-read past stack buffer. Remote attacker floods RAs from many sources -> many prefix routers -> unpriv sysctl read -> kernel stack leak.