DragonFlyBSD Kernel Audit
← dashboard
DF-0460

status_frac / tx_frac sysctls have no upper bound: signed int overflow in ifpoll_compat_setup

Summary

sysctl_stfrac(:1497)/sysctl_txfrac(:1535) reject <1 but no upper bound. Root can set INT_MAX. ifpoll_compat_setup(:1569-1570) (poll_stfrac+1)*howmany(IOPOLL_BURST_MAX,IOPOLL_EACH_BURST)-1 multiplies INT_MAX*5 = signed int overflow UB. Garbage ifpc_stfrac feeds driver compat polling state. No memory corruption. Fix: upper-bound clamp.