DragonFlyBSD Kernel Audit
← dashboard
DF-0554

Missing min frame-length check + unsigned STEPBY underflow: kernel heap OOB read in LMI parser

Summary

LMI_MIN_LENGTH=8 defined(:88) "XXX verify" but NEVER used. nglmi_checkdata derefs fixed header bytes unconditionally(*data :762/769/795/803/820) each followed by STEPBY(1)(:766/792/800/815). STEPBY(:552-556): packetlen-=stepsize;data+=stepsize NO underflow guard. packetlen is u_short. Frame shorter than fixed header -> STEPBY wraps 0->65535. IE loop while(packetlen>=2)(:850) iterates with packetlen=65535 data far past mbuf -> reads data[0],data[1],IE bodies from arbitrary kernel heap. Guard if(packetlen<segsize+2)break(:856) useless: segsize u_char max 255 vs packetlen 65535. 1-byte frame {0x03} triggers. Remote FR peer. Heap leak observable via NGM_LMI_GET_STATUS. Fix: enforce m_lengthm(m)>=LMI_MIN_LENGTH at top, change packetlen to signed int, add underflow guard in STEPBY.