DragonFlyBSD Kernel Audit
← dashboard
DF-0442

rmc_init stores user-driven maxqueued_ without validation: div-by-zero or heap OOB via fixed-size array modulus

Summary

rmc_init(:680): ifd->maxqueued_=maxqueued no bounds check. Used as modulus qi_=(qi_+1)%maxqueued_(:1086,:1206), qo_=(qo_+1)%maxqueued_(:1434). Arrays borrowed_[/class_[/curlen_[/now_[/is_overlimit_[ all sized RM_MAXQUEUED=1. maxqueued_=0 -> div0 panic. maxqueued_>1 -> indices 1..N-1 OOB write into adjacent rm_ifdat fields. Currently latent: sole caller cbq_add_queue_locked hardcodes RM_MAXQUEUED. Defense-in-depth.