DragonFlyBSD Kernel Audit
← dashboard
DF-0496

rn_walktree_from dereferences caller-supplied mask without NULL check

Summary

rn_walktree_from(:1098): unconditionally derefs mask[rn->rn_offset] in traversal loop. Unlike rn_walktree_at which checks if(mask!=NULL), this assumes mask always non-NULL. mask=NULL -> panic. Current callers(route.c:829,1012,1278) pass rt_mask(rt) guarded by !=NULL check. Latent defense-in-depth gap. Fix: if(_mask==NULL) return rn_walktree(h,f,w).