DragonFlyBSD Kernel Audit
← dashboard
DF-0498

SIOC_L2CAP_L2CA_GET_INFO: unvalidated info_size causes oversized kmalloc + feature non-functional

Summary

SIOC_L2CAP_L2CA_GET_INFO(:1061-1097): no upper-bound check on p->info_size(unlike PING:1002 which rejects >NG_L2CAP_MAX_ECHO_SIZE). NG_MKMESSAGE(...sizeof(*ip)+info_size...)(:1077) with M_WAITOK -> up to ~4GiB alloc. Request never populates trailing bytes. Downstream ng_l2cap_l2ca_get_info_req(ulpi.c:1435) rejects arglen!=sizeof(*ip) -> info_size>0 always fails. Memory-exhaustion DoS + non-functional GetInfo. Fix: clamp/reject info_size, alloc only sizeof(*ip).