DragonFlyBSD Kernel Audit
← dashboard
DF-0526

ng_fec_choose_port dereferences ether/IP headers without mbuf length validation: OOB read

Summary

ng_fec_choose_port: eh=mtod(m)(:897) ip=mtod+sizeof(ether_header)(:899-900) ip6=same(:902-903). No m_len/m_pkthdr.len check no m_pullup. INET reads ntohl(ip->ip_dst)(:930) INET6 reads ip6_dst.s6_addr[15](:935). Short/fragmented mbuf -> OOB read past m_data. Same as DF-0504(ng7). Fix: m_pullup before deref.