DragonFlyBSD Kernel Audit
← dashboard
DF-0472

ip_fw3_ctl_add_rule missing cmd_len validation: heap over-read + info leak + OOB function pointer call

Summary

ip_fw3_ctl_add_rule(:950) validates total buffer 32..1020 but never cmd_len vs data provided. krealloc to IPFW_RULE_SIZE_MAX*4=1020(:950), extra bytes uninitialized heap. add_rule_dispatch(:655) bcopy(ioc_rule->cmd, rule->cmd, cmd_len*4) with user cmd_len=255 reads 1020 bytes from offset ~40 -> ~40-byte heap over-read past allocation. Garbage opcodes become rule. ip_fw3_ctl_get_rules(:1026) copies garbage back via IP_FW_GET -> heap info leak. ip_fw3_chk iterates garbage -> filter_funcs[module][opcode] OOB func call. Fix: validate cmd_len<=IPFW_RULE_SIZE_MAX-header, act_ofs<cmd_len, set<32.