DF-0281 / run.stress.log
########## STRESS RUN 1 (vulnerable path) ##########
DF-0281 code-level proof: netgraph7 RFCOMM divide-by-zero via PN mtu=0
(userspace replication of the exact kernel arithmetic; NOT a kernel trigger)
STEP 0: DLC created, default pcb->mtu = 667 (line 432)
STEP 1: peer PN with mtu=0 processed by set_pn (line 3019); now pcb->mtu = 0 <-- NO validation was applied
CFC flag now set (line 3023)
STEP 2: peer UIH data frame arrives; rx_cred=21 -> --rx_cred=20 <= MAX_CREDITS/2 -> send_credits() called (line 2429)
STEP 3: send_credits line 3283: credits = ssb_space / pcb->mtu ...
### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###
PROOF: pcb->mtu==0 reached the unguarded divisor -> kernel would #DE/panic
(In-kernel: CPU raises #DE -> trap -> panic. In userspace: #DE -> SIGFPE -> caught here.)
exit=0
########## STRESS RUN 2 (vulnerable path) ##########
DF-0281 code-level proof: netgraph7 RFCOMM divide-by-zero via PN mtu=0
(userspace replication of the exact kernel arithmetic; NOT a kernel trigger)
STEP 0: DLC created, default pcb->mtu = 667 (line 432)
STEP 1: peer PN with mtu=0 processed by set_pn (line 3019); now pcb->mtu = 0 <-- NO validation was applied
CFC flag now set (line 3023)
STEP 2: peer UIH data frame arrives; rx_cred=21 -> --rx_cred=20 <= MAX_CREDITS/2 -> send_credits() called (line 2429)
STEP 3: send_credits line 3283: credits = ssb_space / pcb->mtu ...
### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###
PROOF: pcb->mtu==0 reached the unguarded divisor -> kernel would #DE/panic
(In-kernel: CPU raises #DE -> trap -> panic. In userspace: #DE -> SIGFPE -> caught here.)
exit=0
########## STRESS RUN 3 (vulnerable path) ##########
DF-0281 code-level proof: netgraph7 RFCOMM divide-by-zero via PN mtu=0
(userspace replication of the exact kernel arithmetic; NOT a kernel trigger)
STEP 0: DLC created, default pcb->mtu = 667 (line 432)
STEP 1: peer PN with mtu=0 processed by set_pn (line 3019); now pcb->mtu = 0 <-- NO validation was applied
CFC flag now set (line 3023)
STEP 2: peer UIH data frame arrives; rx_cred=21 -> --rx_cred=20 <= MAX_CREDITS/2 -> send_credits() called (line 2429)
STEP 3: send_credits line 3283: credits = ssb_space / pcb->mtu ...
### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###
PROOF: pcb->mtu==0 reached the unguarded divisor -> kernel would #DE/panic
(In-kernel: CPU raises #DE -> trap -> panic. In userspace: #DE -> SIGFPE -> caught here.)
exit=0