DragonFlyBSD Kernel Audit
← dashboard
DF-0491

NULL td dereference in SIOCSIFDSTADDR and default ioctl handlers despite documented td might be NULL contract

Summary

in_control(:221) documents td might be NULL. Priv guards(:513,:561) use if(td&&...) skip when NULL. But SIOCSIFDSTADDR handler(:606) ifp->if_ioctl(ifp,SIOCSIFDSTADDR,(caddr_t)ia,td->td_proc->p_ucred) derefs td unconditionally. Default-case handler(:735) same pattern. Kernel-initiated path with td=NULL for these cmds -> NULL-page fault panic. Not reachable from unpriv userspace (td always non-NULL for user ioctls). Latent crash bug contradicts API contract. Fix: if(td==NULL) return EINVAL or use proc0.p_ucred fallback.