DF-0436
Heap OOB read + security-filter bypass via OGF=0/event=0: negative bitstr index into ng_btsocket_hci_raw_sec_filter
Summary
ng_btsocket_hci_raw_filter(:669-718): CMD_PKT uses bit_test(commands[OGF(opcode)-1], OCF(opcode)-1)(:679-684). OGF=0 -> commands[-1] = 128 bytes before commands[0] = 96 bytes before struct start -> heap OOB read. OCF=0 -> bit_test(..,-1) -> name[-1>>3] = 1 byte before array. EVENT_PKT: event=mtod->event-1(:703) then bit_test(events,event)(:709). event code 0 -> bit index -1 -> events[-1] 1 byte before struct. bitstr_t unsigned char bit_test=name[bit>>3]&(1<<(bit&7)). Trigger: unpriv local user sendto() 3-byte HCI cmd OGF=0 (attach:936 no priv required). Heap OOB read leaks slab metadata + when tested bit set -> filter bypass -> unpriv socket injects privileged HCI commands.