DragonFlyBSD Kernel Audit
← dashboard
DF-0377

config_red error path kfrees struct that may be embedded member of dn_pipe: latent UAF/invalid-free

Summary

config_red(:1359-1363) when red_lookup_depth==0 calls kfree(x,M_DUMMYNET)+return EINVAL. But x can be &pipe->fs (embedded in dn_pipe via config_pipe:1520 set_fs_parms(&x->fs,...)). Freeing interior of larger alloc -> invalid free. set_fs_parms ignores return value so caller continues to insert freed flowset. Currently unreachable: red_lookup_depth is CTLFLAG_RD sysctl default 256. Latent landmine.