DragonFlyBSD Kernel Audit
← dashboard
DF-0452

Octal/hex escape loops in ng_get_string_token: counter k never incremented, consumes all consecutive digits

Summary

ng_get_string_token(:1599-1617): octal loop for(x=k=0;k<3&&*v>=0x30&&*v<=0x37;v++)(:1601) — k init to 0 but NEVER incremented (increment clause is v++ not k++,v++). k<3 always true -> consumes ALL consecutive octal digits instead of max 3. Hex loop(:1609) identical bug k never incremented. Input \x4142 parsed as single escape (decoded 0x4142=0x42) not \x41(A)+literal 42. No memory safety: cbuf sized strlen(s+start) suffices since escapes only shrink. Signed int x overflow UB on long sequences.