DragonFlyBSD Kernel Audit
← dashboard
DF-0449

Heap buffer overflow in ng_string_parse: missing *buflen bounds check before bcopy of user-supplied string

Summary

ng_string_parse(:704-720): bcopy(sval,buf,len)(:716) where len=strlen(sval)+1 with NO check len<=*buflen. Every sibling parse function checks (int8_getDefault:385, fixedstring_parse:774, bytearray_parse:959). NGM_ASCII2BINARY(ng_base.c:1578-1648): bufSize=2000, attacker NGF_RESP+NGM_TEXT_CONFIG/STATUS -> respType=string_type. String >2000 bytes -> bcopy overflows binary->data 2000-byte alloc into adjacent heap. arglen set to inflated size(:1644) -> secondary OOB read on response copy. Distinct from DF-0410 (netgraph7 unparse direction). Root-gated ng_socket SYSCAP_RESTRICTEDROOT.