DragonFlyBSD Kernel Audit
← dashboard
DF-0541

Uninitialized cp.data[0] in Command Reject MTU_EXCEEDED sets link MTU to stack garbage

Summary

Dispatcher accepts any COMMAND_REJ cmd.length<=sizeof(l2cap_cmd_rej_cp)=6(:91-92) incl 0..5. l2cap_recv_command_rej does m_copydata(m,0,cmd.length,&cp)(:180/:187) into uninit cp. cmd.length<6 leaves tail as residual stack. MTU_EXCEEDED branch(reason=0x0001): line :208 link->hl_mtu=letoh16(cp.data[0]) reads cp.data[0] uninit when cmd.length<4. Overwrites link MTU with stack garbage. Practical impact minimal: hl_mtu only used in #ifdef DIAGNOSTIC kprintf(:949). Fix: validate cmd.length>=reason-specific minimum or zero-init cp.