DragonFlyBSD Kernel Audit
← dashboard
DF-0397

rt_setshims: unchecked R_Malloc (M_NULLOK) leads to NULL-pointer-write panic via bcopy to NULL

Summary

rt_setshims(:1374-1391): R_Malloc(rt->rt_shim[i],...)(:1386) expands to kmalloc(...,M_INTWAIT|M_NULLOK)(radix.h:193-194) — CAN return NULL under memory pressure. bcopy(shim,rt->rt_shim[i],shimlen)(:1387) unconditionally writes shimlen(up to 256) bytes to NULL -> fatal kernel panic. Caller rtrequest1 RTM_ADD(:927-928) ignores return value. Reachable by privileged subject adding MPLS-annotated route.