DragonFlyBSD Kernel Audit
← dashboard
DF-0453

Wrong session variable in rfcomm_session_newconn: timeout armed on listener not new session — memory leak + listener corruption DoS

Summary

rfcomm_session_newconn(:423-428): creates new session(:416) sets WAIT_CONNECT(:421). Comment says schedule expiry on NEW session. But callout_reset uses &rs->rs_timeout and passes rs (the LISTENER) instead of &new->rs_timeout/new. Consequence 1: new session has NO timeout -> if peer opens L2CAP but never sends SABM(0) -> session+L2CAP state leaks indefinitely -> memory exhaustion DoS by repeated connections. Consequence 2: listener gets spurious mcc_timeout -> DLC-closing path -> may free listener permanently disabling RFCOMM. Remote unauth BT peer within range.