DragonFlyBSD Kernel Audit
← dashboard
DF-0500

Response handlers trust count/size fields without checking pcb->msg arglen: defense-in-depth gap

Summary

GET_CON_LIST(:920-928) copies p1->num_connections*elem without checking arglen>=sizeof(*p1)+count*elem. PING(:1048-1054) copies op->echo_size. GET_INFO(:1106-1115) copies op->info_size. Same for GET_CHAN_LIST(:972-983). Currently safe only because L2CAP layer sizes response to match. Any future divergence -> heap OOB read copyout to userspace. Fix: validate arglen before each copyout.