DragonFlyBSD Kernel Audit
← dashboard
DF-0527

ng_fec_choose_port NULL dereference when computed port index removed: reachable panic after port delete

Summary

mask=fec_ifcnt==2?0x1:0x3(:896) so port may be 0..3. fec_idx assigned sequentially in addport(:395) NEVER renumbered when port removed in delport(:463-466 only TAILQ_REMOVE+kfree+ifcnt--). TAILQ_FOREACH(:945-948) exits p==NULL when hash selects removed index. Line :956 if(p->fec_ifstat!=1) derefs NULL. REACHABLE: 4-port bundle up, del one port (ifcnt=3, mask=0x3, only 3 of {0,1,2,3} remain), transmit -> ~25% flows hit missing slot -> NULL deref -> panic. Fix: if(p==NULL) return EINVAL or renumber fec_idx in delport or compute mask from actual indices.