DragonFlyBSD Kernel Audit
← dashboard
DF-0540

Uninitialized cmd.ident sent in Command Reject: remote 1-byte kernel stack info leak

Summary

l2cap_recv_signal(:70-164): l2cap_cmd_hdr_t cmd declared uninitialized on stack(:70). First test if(m_pkthdr.len<sizeof(cmd)=4) goto reject(:76-77) fires BEFORE m_copydata populates cmd(m_copydata at :79). reject: label calls l2cap_send_command_rej(link,cmd.ident,L2CAP_REJ_NOT_UNDERSTOOD)(:164) embedding uninitialized cmd.ident into L2CAP_COMMAND_REJ response transmitted over BT. Remote unauth peer: L2CAP length=1-3, payload that short -> dispatcher jumps to reject without writing cmd -> 1 byte kernel stack leaked per request in ident field. Repeated probing leaks fixed stack offset. Fix: l2cap_cmd_hdr_t cmd={0} or send reject with ident 0 for short packets.