DragonFlyBSD Kernel Audit
← dashboard
DF-0379

NGM_BINARY2ASCII heap OOB read via ng_unparse: arglen not validated against mesgType/respType struct size

Summary

NGM_BINARY2ASCII handler(:1505-1576): validation only checks binary->header.arglen fits in outer buffer(:1514-1519), NOT that arglen is large enough for the struct described by argstype. ng_unparse(argstype,binary->data,...)(:1562) reads binary->data per argstype layout with no source-length bound. Attacker supplies cmd with large struct (e.g. NGM_MKPEER=96 bytes) but binary arglen=10 -> reads 86 bytes past data into kmalloc heap. ASCII result returned to caller. Root-gated (ng_socket control requires SYSCAP_RESTRICTEDROOT). Heap info leak useful in priv-esc chains.