DragonFlyBSD Kernel Audit
← dashboard
DF-0456

NULL deref in rfcomm_session_complete: credit NULL check under #ifdef DIAGNOSTIC only, no guard on production

Summary

rfcomm_session_complete(:446-454): loops count times dequeuing credit from rs_credits. NULL check on credit(:448-453) wrapped in #ifdef DIAGNOSTIC — no guard on production builds. If L2CAP over-reports count vs outstanding credits, STAILQ_FIRST returns NULL, line :454 derefs credit->rc_dlc -> panic. Not directly remote-triggerable (requires L2CAP completion accounting bug) but defense-in-depth gap.