DF-0545
Buffer accounting u_int16_t wrap in num_compl_pkts via attacker-controlled compl_pkt: throughput DoS
Summary
num_compl_pkts(:900): p=le16toh(p) attacker-controlled [0,65535]. con->pending correctly clamped(:906-913). NG_HCI_BUFF_ACL_FREE macro: acl_free+=v; if(acl_free>acl_pkts) acl_free=acl_pkts. But acl_free is u_int16_t so acl_free+=0xFFFF wraps modulo 65536. Post-wrap value can land <=acl_pkts bypassing clamp -> attacker drives buffer free count to chosen small value -> artificial throughput starvation. 12-bit con_handle brute-forceable via ng_hci_con_by_handle(:903). Fix: clamp p before applying or widen intermediate type.