DragonFlyBSD Kernel Audit
← dashboard
DF-0556

DLCI array index without local bounds check in nglmi_rcvdata: latent heap OOB write

Summary

nglmi_rcvdata PVC-status IE handler case 6(:698): dlci=(data[2]<<8)|data[3] yields 0..65535 then indexes sc->dlci_state[dlci](:718 read,:725 write). dlci_state[MAXDLCI+1=1024]. Author left "/* XXX */"(:702) no bounds check. Saved ONLY by nglmi_checkdata rejecting dlci>1023(:971). If checkdata diverges from rcvdata re-parse (AUTO/GROUP4 state change between passes, future refactor drops checkdata) -> OOB write controlled byte at attacker offset. Fix: if(dlci==0||dlci>MAXDLCI) goto nextIE in rcvdata.