DragonFlyBSD Kernel Audit
← dashboard
DF-0389

Sockaddr padding not zeroed in rt_msg_buffer/rt_msg_mbuf: 1-7 bytes kernel memory leak per sockaddr

Summary

rt_msg_buffer(:1140-1141) and rt_msg_mbuf(:1202-1203) bcopy/m_copyback RT_ROUNDUP(sa->sa_len) bytes but do NOT bzero alignment padding between sa_len and RT_ROUNDUP boundary. E.g. sockaddr_in6(sa_len=28) -> RT_ROUNDUP=32, 4 trailing bytes copied from adjacent kernel memory. FreeBSD explicitly bzeros: bcopy(sa,cp,sa_len); bzero(cp+sa_len,dlen-sa_len). DragonFly omits bzero. Affects all route message output paths. Unpriv via sysctl/RTM_GET.