[Bug 295520] Linux compat getsockopt IPV6_NEXTHOP performs unbounded kernel malloc based on user-supplied optlen

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 23 May 2026 14:26:33 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295520

            Bug ID: 295520
           Summary: Linux compat getsockopt IPV6_NEXTHOP performs
                    unbounded kernel malloc based on user-supplied optlen
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: cs.lee@opcia.kr

Reclassified per secteam guidance — originally reported to secteam@FreeBSD.org,
directed to bugs.FreeBSD.org as a non-security kernel bug.

In sys/compat/linux/linux_socket.c, the Linux compatibility layer's
getsockopt()
handler for IPV6_NEXTHOP allocates kernel memory based on the user-supplied
optlen
parameter without imposing an upper bound.

While this requires the Linux compatibility module to be loaded (a root-only
operation), a process running under Linux emulation can trigger excessive
kernel
memory allocation by passing a very large optlen value.

Suggested fix: Cap optlen to a reasonable maximum (e.g., sizeof(struct
sockaddr_in6)) before the kernel allocation.

-- 
You are receiving this mail because:
You are the assignee for the bug.