DragonFlyBSD Kernel Audit
← dashboard
DF-0559

hci_event_inquiry_result/rssi_result: unbounded loops guarded only by KKASSERT -> remote kernel panic on short data

Summary

hci_event_inquiry_result(:447-469) + hci_event_rssi_result(:484-506): trust attacker ep.num_responses(uint8 0-255). Only check KKASSERT(pkthdr.len>=sizeof(ep)=1)(:447/:484). while(ep.num_responses--) loop per iter KKASSERT(pkthdr.len>=sizeof(ir)=15)(:455) / KKASSERT(pkthdr.len>=sizeof(rr)=14)(:492). Controller sends num_responses>N records -> KKASSERT fails -> panic INVARIANTS(default X86_64_GENERIC) / m_copydata NULL-deref non-INVARIANTS. hci_event_hdr_t.length NEVER consulted. Packed structs(hci.h:1862/2092) attacker computes exact short-data. Netbt twin of DF-0542(ng7). Remote unauth BT DoS. Fix: validate num_responses*sizeof(ir)<=remaining upfront, replace KKASSERT with real bounds check.