DragonFlyBSD Kernel Audit
← dashboard
DF-0429

Unauthenticated PFSYNC_ACT_UREQ forces victim to multicast entire pf state table: info disclosure + amplification DoS

Summary

PFSYNC_ACT_UREQ with id==0&&creatorid==0(:916): sets sc_ureq_received, seeds sc_bulk_send_next, sends PFSYNC_BUS_START. pfsync_bulk_update(:1545-1613) iterates up to sc_maxcount*PFSYNC_BULKPACKETS states across ALL cpus, packs into PFSYNC_ACT_UPD, emits via pfsync_sendout to multicast group(:1734-1736). Single ~40-byte packet -> full state table dump. Every tracked conn src/dst addr/ports/proto/seq/timeouts exposed to passive sniffer + CPU/bandwidth exhaustion. No priv/source check (DF-0428).