DragonFlyBSD Kernel Audit
← dashboard
DF-0433

bpf_mtap_hdr submits partially-initialized stack mbuf: bpf_mtap reads uninitialized m_pkthdr.rcvif

Summary

bpf_mtap_hdr(:1347-1393): allocates only struct m_hdr on stack, initializes mh_flags/next/len/data but NOT m_pkthdr. Casts to struct mbuf* hands to bpf_mtap(). bpf_mtap(:1322) reads m->m_pkthdr.rcvif in control-flow check (!bd_seesent&&rcvif==NULL). m_pkthdr past end of stack m_hdr -> reads adjacent uninitialized stack bytes. Contrast bpf_ptap(:1377-1393) correctly inits rcvif. Rare driver caller + bd_seesent cleared. No confirmed leak to userspace (bpf_mcopy uses initialized m_len/m_data/m_next).