DragonFlyBSD Kernel Audit
← dashboard
DF-0418

Unbounded default-router and prefix list growth from spoofed RAs: RA-flooding kernel memory exhaustion DoS

Summary

defrtrlist_update(:689-702) kmalloc nd_defrouter per unique RA src linklocal, TAILQ_INSERT no upper bound. nd6_prelist_add(:765-782) kmalloc nd_prefix + pfxrtr_add(:727) per unique prefix per router. No per-router/prefix limit anywhere (nd6_maxndopt caps per-packet opts not cross-packet). On-link unauth attacker sends stream of RAs each with fresh randomized src+prefix -> unbounded kmalloc -> kernel memory exhaustion -> system hang/panic. Classic RA-flooding (RFC 6104/6105). Linux/FreeBSD added caps; DragonFly lacks them.