DragonFlyBSD Kernel Audit
← dashboard
DF-0524

Stored raw pointer to member ifnet with no refcount: UAF when member interface destroyed

Summary

ng_fec_addport stores p->fec_if=bifp(:408) after ifunit() with NO reference taken. Deref in delport(:455) init(:527-528) stop(:553-554) tick(:583) start+choose_port(:974). If member iface detached -> dangling pointer -> UAF on next ioctl/tick/tx. No if_ref/if_rele no EVENTHANDLER ifnet_detach. Same as DF-0503(ng7). Fix: if_ref on store, if_rele on delport/rmnode or ifnet_depart_eventhandler.