DragonFlyBSD Kernel Audit
← dashboard
DF-0535

Integer underflow in ngc_send path-length math: sg_len<2 -> bcopy with SIZE_MAX -> kernel heap smash

Summary

ngc_send(:245-248): len=sap->sg_len-2 NO lower-bound on sg_len. ngc_bind validates sg_len(:822) but ngc_send does NOT. sg_len==0 -> len=-2 kmalloc((size_t)-1 M_WAITOK) panic/hang. sg_len==1 -> len=-1 kmalloc(0) succeeds bcopy(sg_data,path,(size_t)-1)(:247) multi-exabyte memcpy -> immediate page fault panic. bcopy length is size_t(unsigned) so signed negative silently reinterpreted as enormous. Requires control socket(privileged). Fix: if(sg_len<2) return EINVAL before :245.