DragonFlyBSD Kernel Audit
← dashboard
DF-0441

Divide-by-zero kernel panic when ns_per_byte==0: CBQ class add/modify unconditionally divides by user-supplied value

Summary

rmc_newclass(:237): cl->allotment_=RM_NS_PER_SEC/nsecPerByte. rmc_modclass(:350): same divide. nsecPerByte passed verbatim from user struct cbq_opts.ns_per_byte(u_int) through cbq_add_queue_locked(altq_cbq.c:367,374) with NO zero check anywhere. Single pfaltq config ns_per_byte=0 -> integer divide-by-zero -> kernel panic netisr cpu0. Privileged local DoS. Fix: validate nsecPerByte!=0 at entry.