DragonFlyBSD Kernel Audit
← dashboard
DF-0478

Rule set field not validated: 1<<set with set>=32 is UB enabling rule-set bypass

Summary

Line :487: ctx->sets & (1 << f->set). 1 is int(32-bit), f->set is uint8_t(0-255). ip_fw struct comment says set 0..31(ip_fw3.h:266) but add_rule_dispatch copies set from user without validation. set>=32: 1<<set is UB. x86 HW masks shift to 5 bits (set&31): set=32 treated as set=0, set=33 as set=1. Rule silently checked against wrong set bit -> potential bypass of disabled rule-set. Fix: if(set>=32) return EINVAL in add_rule_dispatch.