DragonFlyBSD Kernel Audit
← dashboard
DF-0553

SIOCSETVLAN accepts reserved VLAN IDs (0 and 0xFFF) without validation

Summary

SIOCSETVLAN handler(:996-1007): copies struct vlanreq, calls vlan_config(ifv,vlr.vlr_parent,vlr.vlr_tag) no validation of vlr_tag. IEEE 802.1Q reserves VID 0(priority-tagged) and VID 0xFFF(valid range 1-4094). Privileged user can configure reserved IDs. Operational/protocol correctness issue. Fix: if(vlr_tag==0||(vlr_tag&0xfff)==0xfff) return EINVAL.