DragonFlyBSD Kernel Audit
← dashboard
DF-0382

config_red divides by (max_th-min_th) and max_th without zero check: kernel panic — same bug class as dummynet v1 unfixed

Summary

config_red(:1351-1356): x->c_1=ioc_fs->max_p/(ioc_fs->max_th-ioc_fs->min_th). max_th==min_th -> div0 panic. GENTLE_RED: x->c_3=(SCALE(1)-max_p)/max_th; max_th==0 -> div0. set_fs_parms ignores return (:1452 "XXX should check errors"). Same unfixed bug as DF-0374 (v1). Single setsockopt triggers panic. Root in jail can panic host kernel.