DragonFlyBSD Kernel Audit
← dashboard
DF-0473

ip_fw3_chk: unbounded filter_funcs[module][opcode] indexing -> OOB function pointer call on remote traffic

Summary

ip_fw3_chk(:506-507): (filter_funcs[cmd->module][cmd->opcode])(...). filter_funcs[MAX_MODULE=10][MAX_OPCODE_PER_MODULE=100](:163). cmd->module/opcode are uint8_t(0-255) NEVER bounds-checked. module>=10 or opcode>=100 indexes past 1000-element array into fw3_modules/fw3_ctx/fw3_sync_ctx globals reading arbitrary func ptr and calling it. Reachable by remote traffic if matching rule contains such opcode (plantable via cmd_len gap DF-next or directly by root). No NULL check -> unregistered opcode NULL-deref panic. Fix: validate module<MAX_MODULE, opcode<MAX_OPCODE, fn!=NULL before call.