DragonFlyBSD Kernel Audit
← dashboard
DF-0502

ng_fec_shutdown infinite loop when member interface destroyed: dangling pointer + unkillable loop

Summary

ng_fec_shutdown(:1335-1339): while(!TAILQ_EMPTY) calls ng_fec_delport(priv,p->fec_if->if_xname). delport re-resolves via ifunit(:481), if interface destroyed returns ENOENT(:485) WITHOUT removing portlist entry -> TAILQ_FIRST returns same entry forever -> infinite loop. p->fec_if is dangling pointer to freed ifnet -> if_xname is UAF read. Privileged local user destroys member iface before shutdown -> hangs kernel. Fix: iterate+remove directly in shutdown, dont re-resolve.