DragonFlyBSD Kernel Audit
← dashboard
DF-0479

ip_fw3_ctl_delete_rule: unchecked direct pointer deref of sopt_val without size validation

Summary

ip_fw3_ctl_delete_rule(:850,860): rulenum=(int*)sopt_val; dmsg.rulenum=*rulenum. Direct deref without checking sopt_valsize>=sizeof(int). IP_FW_ZERO path correctly uses soopt_to_kbuf(:1162) but DEL path does not. Via IP_FW_X with payload <4 bytes after x_header strip -> reads past allocated buffer. sopt_val NULL(valsize=0) -> NULL-deref panic. Fix: use soopt_to_kbuf like IP_FW_ZERO path.