DF-0453
Wrong session variable in rfcomm_session_newconn: timeout armed on listener not new session — memory leak + listener corruption DoS
Summary
rfcomm_session_newconn(:423-428): creates new session(:416) sets WAIT_CONNECT(:421). Comment says schedule expiry on NEW session. But callout_reset uses &rs->rs_timeout and passes rs (the LISTENER) instead of &new->rs_timeout/new. Consequence 1: new session has NO timeout -> if peer opens L2CAP but never sends SABM(0) -> session+L2CAP state leaks indefinitely -> memory exhaustion DoS by repeated connections. Consequence 2: listener gets spurious mcc_timeout -> DLC-closing path -> may free listener permanently disabling RFCOMM. Remote unauth BT peer within range.