DragonFlyBSD Kernel Audit
← dashboard
DF-0471

ip_fw3_ctl_x: size_t underflow in sopt_valsize when <4 causes unbounded bcopy heap corruption/panic

Summary

ip_fw3_ctl_x(:1038-1047): sopt->sopt_valsize -= sizeof(ip_fw_x_header)=4(:1044) no check valsize>=4. sopt_valsize is size_t(unsigned). valsize<4 wraps to ~SIZE_MAX. bcopy(++x_header, sopt_val, sopt_valsize)(:1045) copies ~2^64 bytes -> massive heap corruption before fault. x_header->opcode read(:1043) from buffer <4 bytes is OOB read. No priv_check on path (raw_ip.c:335 -> ip_fw3_glue.c:51 -> ip_fw3_ctl_x). Raw IP socket requires root to create. Fix: if(sopt_valsize<sizeof(ip_fw_x_header)) return EINVAL.