DragonFlyBSD Kernel Audit
← dashboard
DF-0408

ip_optcopy validates IP-option lengths only with KASSERT (no-op on production): latent OOB read

Summary

ip_optcopy(:1018-1042): option length validation via KASSERT only (compiled out without INVARIANTS). On production: cp[IPOPT_OLEN] read for any non-EOL/NOP byte even when cnt==1 -> 1-byte OOB read past IP header options. Relies on comment "bogus lengths should have been caught by ip_dooptions". All current producers validate, but latent if invariant breaks.