DF-0454
Uninitialized kernel stack info leak in RPN response: param_mask never initialized for 1-byte RPN command
Summary
rfcomm_session_recv_mcc_rpn(:1227-1269): when pkthdr.len==1(:1230), only 1 byte copied via m_copydata(m,0,1,&rpn) into 8-byte struct. dlci(:0) written, bit_rate..xoff(:1-5) set by defaults(:1221-1225). param_mask(:6-7) NEVER initialized. Line :1232 rpn.param_mask=letoh16(rpn.param_mask) reads 2 bytes uninitialized stack. Full 8-byte struct sent to remote peer via rfcomm_session_send_mcc(:1269). Up to ~7 bits stack leak per request. Remote unauth BT peer sends 1-byte RPN -> observes kernel stack in response param_mask.