DF-0281 / run.log
=================== VULNERABLE PATH (mtu=0, no guard) ===================
+ ./divzero_proof
DF-0281 code-level proof: netgraph7 RFCOMM divide-by-zero via PN mtu=0
(userspace replication of the exact kernel arithmetic; NOT a kernel trigger)
STEP 0: DLC created, default pcb->mtu = 667 (line 432)
STEP 1: peer PN with mtu=0 processed by set_pn (line 3019); now pcb->mtu = 0 <-- NO validation was applied
CFC flag now set (line 3023)
STEP 2: peer UIH data frame arrives; rx_cred=21 -> --rx_cred=20 <= MAX_CREDITS/2 -> send_credits() called (line 2429)
STEP 3: send_credits line 3283: credits = ssb_space / pcb->mtu ...
### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###
PROOF: pcb->mtu==0 reached the unguarded divisor -> kernel would #DE/panic
(In-kernel: CPU raises #DE -> trap -> panic. In userspace: #DE -> SIGFPE -> caught here.)
VULN_EXIT=0
=================== GUARDED PATH (-DFIX_MTU: clamp mtu!=0) ===================
+ ./divzero_proof_fixed
DF-0281 code-level proof: netgraph7 RFCOMM divide-by-zero via PN mtu=0
(userspace replication of the exact kernel arithmetic; NOT a kernel trigger)
STEP 0: DLC created, default pcb->mtu = 667 (line 432)
STEP 1: peer PN with mtu=0 processed by set_pn (line 3019); now pcb->mtu = 667 <-- NO validation was applied
CFC flag now set (line 3023)
STEP 2: peer UIH data frame arrives; rx_cred=21 -> --rx_cred=20 <= MAX_CREDITS/2 -> send_credits() called (line 2429)
STEP 3: send_credits line 3283: credits = ssb_space / pcb->mtu ...
NO FAULT: pcb->mtu was guarded before the divisor (fix active); credits path completed.
FIXED_EXIT=0