DragonFlyBSD Kernel Audit
← dashboard
DF-0493

KASSERT-only bounds check on nack before xwin[] indexing: no runtime protection in production kernels

Summary

ng_l2tp_seq_recv_nr(:1141-1154): nack from attacker Nr via L2TP_SEQ_DIFF(:1135) indexes xwin[L2TP_MAX_XWIN=16]. Only bound is KASSERT(nack<=L2TP_MAX_XWIN)(:1141) compiled out non-INVARIANTS. Normal invariant(:1137 L2TP_SEQ_DIFF<=0) prevents exceed. BUT lockless race(DF-0492) can break invariant by concurrent ns/rack mutation -> nack>16 -> m_freem past xwin[15]+memmove OOB -> heap corruption. Alone defense-in-depth, amplifies companion race. Fix: runtime if(nack>L2TP_MAX_XWIN) return before xwin access.