DF-0560
hci_event_command_compl: reads status byte beyond asserted length -> short-event remote kernel panic
Summary
hci_event_command_compl(:299-317): KKASSERT(pkthdr.len>=sizeof(hci_command_compl_ep)=3)(:299) copies ep+m_adj. Then UNCONDITIONALLY m_copydata(m,0,sizeof(rp=1),&rp)(:313) to read status byte. Comment :308-312 admits not guaranteed command_complete will contain status. If controller sends CommandComplete param total=3 (no return params) -> m_copydata reads 1 byte never validated -> KASSERT(m!=NULL) panic INVARIANTS / NULL-deref non-INVARIANTS. Happens BEFORE per-opcode handler re-asserts. Remote unauth BT DoS. Fix: if(pkthdr.len>=sizeof(rp)) m_copydata.