DF-0532
bt3c_download_firmware: unvalidated block_size causes heap OOB read of msg->data
Summary
bt3c_download_firmware(:1121-1137): NGM_BT3C_NODE_DOWNLOAD_FIRMWARE(:508-515) only checks arglen>=sizeof(ng_bt3c_firmware_block_ep). Loop reads data[i](:1133) = firmware[size+8+i*2] for i<block->block_size. NO check size+8+block_size*2<=firmware_size. block_size u_int16_t from attacker msg. Minimal 8-byte msg with block_size=65535 -> ~131KB OOB read past msg->data into kernel heap. Over-read bytes written to card I/O ports not userspace so no direct info leak. Panic if crosses unmapped page. Fix: validate block fits before loop.