DragonFlyBSD Kernel Audit
← dashboard
DF-0577

Integer overflow in SLIOCSKEEPAL/SLIOCSOUTFILL interval computation: tight callout loop DoS

Summary

sc_keepalive=*(u_int*)data*hz(:398) sc_outfill=*(u_int*)data*hz(:416) unsigned 32-bit multiply no overflow check. _IOW(...,int) so negative int(-1=>0xFFFFFFFF) or value>=4294967 at hz=1000 wraps to small/near-zero -> callout_reset tight re-fire loop -> high CPU local DoS. Root-only SLIPDISC. Fix: validate v!=0&&v<=SL_MAX_INTERVAL before multiply.