DragonFlyBSD Kernel Audit
← dashboard
DF-0468

ip6_savecontrol ext-header walk has no nest limit (self-flagged by code comment)

Summary

Unlike ip6_input loop which enforces ip6_hdrnestlimit=50(:693), ip6_savecontrol ext-header walk is open while(1)(:1214) whose comment asks "is explicit loop prevention necessary?". Bounded by m->m_len (~pkt_size/8) but no explicit limit. Socket with IN6P_RTHDR set (no priv required unlike DSTOPTS/HOPOPTS) triggers per-header mbuf alloc via sbcreatecontrol. Crafted jumbogram with thousands of 8-byte ext headers -> O(pkt_size/8) iterations + per-header mbuf alloc on receive path. Localized CPU/mbuf amplification. No memory corruption.