DF-0437
Receive-path filter dereferences mbuf data without m_pullup: OOB read within mbuf cluster on short first mbuf
Summary
ng_btsocket_hci_raw_data_input(:474-545): passes mbuf to filter(:511) without m_pullup. Filter derefs *mtod 1 byte + opcode bytes 1-2 + event byte 1 = up to 3 contiguous bytes with only m_len guaranteed. Comment "XXX do we have to call m_pullup here?"(:506-509). Send path(:1638-1643) correctly pullups sizeof(cmd_pkt). Compromised controller or netgraph injection with short first mbuf -> OOB read within cluster.