OpenBSD mpls_do_error Kernel Stack Memory Disclosure via MPLS Input

An attacker sends a crafted MPLS frame carrying 16 labels with no Bottom-of-Stack bit set and an outermost TTL of 1. On systems with MPLS enabled on an interface, the frame reaches `mpls_input` → `mpls_do_error`, where the label-stack parse loop fills the 16-entry `stack` array without breaking. The out-of-bounds read of `stack[16]` (4 bytes of adjacent kernel stack) is then reflected back to the attacker inside the ICMP/MPLS extension object of the error response [ref_id=1]. This is an out-of-bounds read [CWE-125] [ref_id=2].

The vulnerability resides in `mpls_do_error` within `sys/netmpls/mpls_input.c`. The function declares a fixed-size local array `struct shim_hdr stack[MPLS_INKERNEL_LOOP_MAX]` (16 entries). When the parse loop completes without encountering a Bottom-of-Stack (BoS) label, `nstk` reaches 16, and subsequent code paths compute a copy length of `(nstk + 1) * sizeof(*shim)` — 17 entries — reading one `struct shim_hdr` (4 bytes) past the end of the array [ref_id=1].

The patch (commit 6a23123) corrects the length calculation used when copying the label stack into the ICMP error response. Instead of using `(nstk + 1) * sizeof(*shim)`, the fix uses `nstk * sizeof(*shim)`, ensuring that only the 16 entries actually stored in the array are copied. This prevents the out-of-bounds read of `stack[16]` and eliminates the kernel stack memory disclosure [ref_id=1].