DF-0443
Integer overflow in scaled scheduler parameter math: maxidle/offtime/pkttime products truncate to 32-bit int
Summary
altq_rmclass.c(:248-279,:686,:1303,:1346): multiple products of attacker-influenced u_int/int stored into int fields without overflow check. minidle_*nsecPerByte/8(:248), maxidle_*nsecPerByte/8(:254), offtime_*nsecPerByte/8>>gain(:259), mtu*nsecPerByte(:686), pkt_time=curlen*ns_per_byte(:1303) pktlen*ns_per_byte(:1346) — pkt_time is int, ns_per_byte up to UINT_MAX -> normal 1500-byte on slow link wraps negative -> garbage avgidle/undertime. Shaping malfunction/functional DoS. Privileged config.