DragonFlyBSD Kernel Audit
← dashboard
DF-0475

act_ofs never validated: OOB pointer deref via ACTION_PTR during packet matching

Summary

act_ofs copied verbatim from user input(add_rule_dispatch:651) no check act_ofs<=cmd_len. ACTION_PTR(ip_fw3.h:134)=(uint32_t*)cmd+act_ofs points past cmd array when act_ofs>=cmd_len. OOB deref at: ip_fw3_chk CHK_STATE(:522-524) reads cmd->module/opcode from OOB bypassing l>0 guard -> filter_funcs OOB call; lookup_next_rule(:294-296) reads OOB; ip_fw3_dummynet_io(:608-611) reads OOB opcode. Root crafts rule, remote traffic triggers OOB heap read + func call. Fix: validate act_ofs<cmd_len in add_rule_dispatch.