DragonFlyBSD Kernel Audit
← dashboard
DF-0476

ip_fw3_register_module: strncpy bounded by strlen(src) not sizeof(dst): buffer overflow + missing NUL

Summary

ip_fw3_register_module(:180): strncpy(tmp->name, module_name, strlen(module_name)). fw3_modules[].name is char[20](ip_fw3.h:496). Uses SOURCE length not DEST size. module_name>=20 chars overflows name[20] into adjacent fw3_modules slot type/id or past array into fw3_sync_ctx. strncpy with strlen(src) never appends NUL. Stale bytes on slot reuse propagate to strcat in ip_fw3_ctl_get_modules(:982) reading past name[20] until zero -> module_str[1024] overflow or global data leak via IP_FW_MODULE. Fix: strlcpy(tmp->name, module_name, sizeof(tmp->name)).