DragonFlyBSD Kernel Audit
← dashboard
DF-0474

Opcode iteration loop: F_LEN(cmd)==0 causes infinite loop hanging netisr thread

Summary

Opcode loop advances l-=cmdlen; cmd=(uint32_t*)cmd+cmdlen where cmdlen=F_LEN(cmd)=cmd->len&0x3f(ip_fw3.h:122). If opcode len low 6 bits=0 (e.g. len=0x80 F_NOT or 0x40 F_OR with zero length), cmdlen=0 -> neither l nor cmd advances -> l>0 forever. Same in ip_fw3_unregister_module(:201-204). Crafted rule with zero-length opcode permanently hangs netisr thread. Root installs rule, any matching remote traffic triggers hang. Fix: if(cmdlen==0) goto next_rule.