DragonFlyBSD Kernel Audit
← dashboard
DF-0447

AF_ARP output case is dead code carrying latent uninitialized-read/OOB-read: mtod returns ether_header not arphdr after M_PREPEND

Summary

AF_ARP case(:237-285): after M_PREPEND sizeof(ether_header)(:237), mtod returns ether_header location not arphdr (now at +14). Reads ah->ar_op(offset 6=ether_shost[0..1] uninitialized), ah->ar_hln/ar_pln(offsets 4-5=ether_dhost[4..5] uninitialized), ar_tha(ah) computes address from garbage -> bcopy 6 bytes from OOB address. DEAD CODE: kernel ARP uses AF_UNSPEC (if_ether.c:415,1257). If ever re-enabled: immediate uninit read + potential OOB read.