DragonFlyBSD Kernel Audit
← dashboard
DF-0424

Unvalidated mf6cc_parent stored in MFC: OOB read in ip6_mdq debug path when parent >= MAXMIFS(64)

Summary

add_m6fc(:751,:713,:797,:821) copies mf6cc_parent(mifi_t u_short 0..65535) into rt->mf6c_parent without checking vs nummifs or MAXMIFS(64). Fast path ip6_mdq(:1307,:1324) guards mifi<nummifs. But MRT6DEBUG log(:1314) derefs mif6table[mifi].m6_ifp->if_index with UNVALIDATED mifi. mifi up to 65535, array has 64 entries -> OOB read up to 65535*struct mif6 past array + pointer deref. Panic if MRT6DEBUG compiled in. Priv user installs MFC, remote multicast triggers.