DF-0543
num_compl_pkts: unbounded variable-length loop reads past mbuf end -> remote kernel panic
Summary
num_compl_pkts(:884-924): pulls up sizeof(num_compl_pkts_ep)=1 byte(num_con_handles)(:884) m_adj(:889). Loops for(;num_con_handles>0;num_con_handles--)(:891). num_con_handles attacker-controlled NEVER validated vs remaining mbuf length. Each iter m_copydata(sizeof(h)=2)+m_copydata(sizeof(p)=2)+m_adj = 4 bytes. Body shorter than 4*count -> chain exhausted -> m_copydata KASSERT/NULL-deref panic. Same root cause: ng_hci_process_event never enforces hdr->length. Remote unauth BT. Fix: clamp num_con_handles to m_pkthdr.len/4.