DF-0481
Integer overflow in root path cost comparison allows topology manipulation via crafted BPDU
Summary
bstp_configuration_update(:513-516): bif_peer_cost+bif_path_cost computed as uint32_t without overflow check. bif_peer_cost=ntohl(cpdu.cbu_rootpathcost)(:924) fully attacker-controlled. Set root_path_cost=0xFFFFFFFF + path_cost=55 = 0x36(54) -> artificially low cost to root -> incorrect root-port selection -> potential MITM. Same pattern :515,:544,:590,:592,:611. Bounded by STP inherent L2 trust (attacker can already become root by lowest bridge_id). Fix: use uint64_t arithmetic or reject root_path_cost>0x7FFFFFFF.