DragonFlyBSD Kernel Audit
← dashboard
DF-0558

hci_event_num_compl_pkts: unbounded variable-length loop NO per-iteration bounds check -> remote kernel panic

Summary

hci_event_num_compl_pkts(:376-405): trusts attacker ep.num_con_handles(uint8 0-255). Only up-front check KKASSERT(pkthdr.len>=sizeof(ep)=1)(:376). while(ep.num_con_handles--) loop(:380-405) m_copydata(handle)+m_copydata(num)+m_adj per iter NO check chain still contains 4*count bytes. Controller sends num_con_handles>N actual pairs -> m_copydata walks off chain -> KASSERT(m!=NULL) panic INVARIANTS / NULL-deref panic non-INVARIANTS. hci_event_hdr_t.length parsed at hci_event():168 NEVER consulted. INVARIANTS on in X86_64_GENERIC(:56) so panic is production default. Netbt twin of DF-0543(ng7). Remote unauth BT DoS. Fix: validate num_con_handles*4<=pkthdr.len upfront.