DragonFlyBSD Kernel Audit
← dashboard
DF-0528

ng_fec_rmnode infinite loop when member interface vanished: dangling ptr + unkillable loop

Summary

ng_fec_rmnode(:1224-1229): while(!TAILQ_EMPTY) p=TAILQ_FIRST ksprintf(ifname,%s,p->fec_if->if_xname) ng_fec_delport(priv,ifname). delport re-resolves ifunit(:433) returns ENOENT(:434-439) WITHOUT removing port from TAILQ if interface destroyed. Loop never terminates. p->fec_if dangling -> if_xname UAF. Same as DF-0502(ng7). Fix: unlink+free directly in rmnode dont re-resolve.