DragonFlyBSD Kernel Audit
← dashboard
DF-0573

Unvalidated ioc->id used as nats[] index: OOB read/write of pointer array

Summary

ioc->id from privileged IP_FW_NAT_ADD sockopt used directly as nats[id-1] in nat_add_dispatch(:745) nat_del_dispatch(:797) nat_state_add_dispatch(:712) check_nat(:161). NO check id in [1,NAT_ID_MAX=16]. id==0 index -1 OOB before nats[]. id>16 OOB after. NULL check may pass if OOB slot holds non-NULL -> foreign pointer treated as cfg_nat type confusion. nat_state_add_dispatch also derefs nat/alias without NULL checks. Local-root OOB array access cfg_nat type confusion kernel R/W. Fix: if(id<1||id>NAT_ID_MAX) return EINVAL.