DragonFlyBSD Kernel Audit
← dashboard
DF-0420

Use-after-free in SCO reassembly buffer: sc_isoc_in_buffer retains dangling pointer after mbuf forwarded and realloc fails

Summary

ubt_isoc_read_one_frame(:1103-1181): loads m=sc->sc_isoc_in_buffer(:1113). When SCO frame complete, ubt_fwd_mbuf_up(:1173) forwards m, sets m=NULL. If loop continues and MGETHDR/MCLGET fails(M_NOWAIT memory pressure), returns -1 at :1123/:1130 WITHOUT clearing sc_isoc_in_buffer(:1178 not reached). Next callback loads dangling pointer, reads m->m_pkthdr.len from freed memory, writes USB SCO data into freed mbuf via usbd_copy_out(:1154-1155). Comment "XXX out of sync!" acknowledges. Malicious USB BT dongle or USB-passthrough crafts isoc sizes + mbuf exhaustion. UAF read (info leak) + UAF write (controlled heap corruption).