DragonFlyBSD Kernel Audit
← dashboard
DF-0495

rn_delete integer underflow: klen-head_off wraps to huge size_t when key sa_len < tree offset -> kernel panic

Summary

rn_delete(:884-889): klen=clen(key)=sa_len, head_off=head->rnh_treetop->rn_offset(e.g. 4 for IPv4). bcmp(:888) uses klen-head_off as length. If caller passes key with sa_len<head_off(e.g. sa_len=2 for AF_INET tree head_off=4): result is -2, implicitly converts to size_t~2^64-2. bcmp reads ~16 EiB -> hits unmapped page -> panic. radix API has NO validation clen(key)>=head_off. Routing socket rt_xaddrs only rejects sa_len==0 not too-short. Root sends RTM_DELETE with truncated dest sockaddr -> panic. No info leak (bcmp crashes before returning). Fix: if(klen<head_off) return NULL.