DragonFlyBSD Kernel Audit
← dashboard
DF-0542

inquiry_result: unbounded variable-length loop reads past mbuf end -> remote kernel panic

Summary

inquiry_result(:380-424): pulls up only sizeof(inquiry_result_ep)=1 byte(num_responses)(:380). Loops for(;num_responses>0;num_responses--)(:387). num_responses attacker-controlled first byte NEVER validated vs actual mbuf length. Each iter consumes ~14 bytes(m_copydata 6+1+1+1+3+2 via m_adj/m_copydata/mtod). Chain exhausted -> m_copydata hits KASSERT(m!=NULL) panic DEBUG / NULL-deref panic RELEASE. ng_hci_process_event logs hdr->length(:100) but NEVER enforces it. 1-byte body num_responses=255 reliably triggers. Stale *mtod reads -> neighbor cache info leak. Comment :406 "XXX call m_pullup here?" admits gap. Remote unauth BT. Fix: clamp num_responses to m_pkthdr.len/14.