DragonFlyBSD Kernel Audit
← dashboard
DF-0410

Heap buffer overflow in ng_encode_string: buffer allocated by strlen(raw) but loop iterates attacker-controlled slen

Summary

ng_sizedstring_unparse(:924): slen=*(u_int16_t*)(data+*off) attacker-controlled. ng_encode_string(raw,slen)(:925). ng_encode_string(:1832): cbuf=kmalloc(strlen(raw)*4+3,...) — alloc by strlen. Loop(:1837) for(i=0;i<slen;i++) writes up to slen*4 bytes. slen>strlen(raw) -> heap overflow. slen=65535+raw starts with NUL: alloc=3 bytes, write=262140. Also OOB read past NUL into heap -> info leak returned to user. Trigger via NGM_BINARY2ASCII on sizedstring type. Root-gated (ng_socket SYSCAP_RESTRICTEDROOT).