DragonFlyBSD Kernel Audit
← dashboard
DF-0508

L2CAP ConfigReq unknown-option echo inflates m_pkthdr.len past mbuf data -> remote kernel heap info leak

Summary

get_next_l2cap_opt(:1317-1322) returns -3 for unknown non-hint option WITHOUT validating hdr->length vs actual mbuf data (MTU/FLUSH/QOS all validate hdr->length<=len at :1289,:1295,:1304 but default case does NOT). ng_l2cap_process_cfg_req(:599-600): m_adj(m, off-sizeof(hdr)) sets real pkthdr.len, then line :600 m->m_pkthdr.len=sizeof(hdr)+hdr.length OVERWRITES with attacker-controlled option length(up to 255). If peer sets length=0xFF but sends few real bytes -> pkthdr.len inflated to 257 when only ~6 bytes exist. Echoed mbuf in ConfigRsp -> _ng_l2cap_cfg_rsp(cmds.h:191-197) propagates inflated len -> ng_l2cap_lp_send sets on-air L2CAP+ACL length from pkthdr.len -> ng_ubt.c:1028 usbd_m_copy_in reads past mbuf chain end into adjacent kernel heap -> transmitted over Bluetooth to attacker. Trigger: L2CAP_ConfigReq with unknown non-hint option type=0x06 length=0xFF + 1 data byte -> up to ~253 bytes kernel heap leaked per request, repeatable. Remote unauth radio-range BT peer. Default config.