DragonFlyBSD Kernel Audit
← dashboard
DF-0390

rt_xaddrs accepts sockaddrs with sa_len below _SA_MINSIZE: inconsistent with RO_MISSFILTER validation

Summary

rt_xaddrs(:1010-1049) validates sa against message boundary(:1023) but does NOT enforce sa_len>=_SA_MINSIZE(2). Compare RO_MISSFILTER(:523) correctly checks sa_len<_SA_MINSIZE. sa_len=1 allowed: sa_family reads from next byte in message buffer (user-controlled). No OOB (all within kmalloc rtm) but structurally invalid sockaddrs pass sa_family<AF_MAX check(:728-729). RTM_ADD/DEL/CHANGE require root(:738-740), RTM_GET read-only.