DragonFlyBSD Kernel Audit
← dashboard
DF-0458

Heap over-read / info-leak / panic in L2CA_Ping: missing echo-data length validation

Summary

ng_l2cap_l2ca_ping_req(:1306-1358): only size check is arglen<sizeof(*ip)=8(:1306), bounds echo_size vs NG_L2CAP_MAX_ECHO_SIZE=65531(:1316). _ng_l2cap_echo_req macro passes msg->data+sizeof(*ip)+echo_size to m_copyback(:1357-1358) with no check that arglen>=sizeof(*ip)+echo_size. Message with arglen==8 but echo_size==65531 -> m_copyback reads up to 65531 bytes OOB past allocated message buffer into kernel heap. Over-read bytes echoed in L2CAP EchoReq to remote BT peer -> kernel heap info leak over air. Crossing unmapped page -> panic DoS. Local-privileged netgraph control message. Fix: add arglen<sizeof(*ip)+echo_size check.