DragonFlyBSD Kernel Audit
← dashboard
DF-0579

Unbounded mbuf-to-stack copy in slstart BPF path: latent stack overflow

Summary

slstart(:536,594-603): u_char bpfbuf[SLTMAX+SLIP_HDRLEN]=1516 bytes on stack. Copies whole outbound mbuf chain into it(cp=bpfbuf+SLIP_HDRLEN loop :597-603) NO explicit check len<=SLTMAX. Comment :588-591 acknowledges assumption packets should be short. Bounding relies entirely on MTU enforcement(SIOCSIFMTU caps SLTMAX=1500 :993 ip_output fragments). No known trigger today. Any future change letting oversized mbuf reach slstart -> stack overflow. Fix: if(len+mlen>SLTMAX) break.