DragonFlyBSD Kernel Audit
← dashboard
DF-0403

Unvalidated dst_ring from custom lookup causes OOB index into dst_ents array

Summary

nm_bdg_flush(:1162-1183): dst_ring(uint8_t) set by custom nm_bdg_lookup. Used as d_i=dst_port*NM_BDG_MAXRINGS+dst_ring; d=dst_ents+d_i with NO bound vs NM_BDG_MAXRINGS(16). dst_port=253,dst_ring=255 -> d_i=4303 past dst_ents[4065]. Default learning sets ring=0; custom via NETMAP_BDG_LOOKUP_REG (root) can set any. Defense-in-depth.