DragonFlyBSD Kernel Audit
← dashboard
DF-0523

Deferred INTERNAL_UPCALL re-invokes upcall against torn-down node/socket: UAF/NULL deref (DF-0511 v1 twin)

Summary

For cloned accepted nodes before hook exists, ng_ksocket_newhook(:624-627) queues NGM_KSOCKET_INTERNAL_UPCALL to re-trigger incoming. Handler(:848-854) reads priv->so->so_upcall + calls it. Races ng_ksocket_rmnode(:923-959) which closes socket+bzero+free priv+node->private=NULL. If hook disconnected between queue+deliver: rcvmsg(:641) derefs node->private NULL -> panic, or stale/zeroed memory. Low confidence: netgraph core may filter via NG_INVALID before rcvmsg runs (could not fully verify). Fix: drain pending INTERNAL_UPCALL in rmnode, re-validate in handler.