DragonFlyBSD Kernel Audit
← dashboard
DF-0561

hci_event ignores hci_event_hdr_t.length: per-spec bound for all variable-length events dropped (root cause)

Summary

hci_event(:163-176): m_copydata hdr{type,event,length}(:168) but NEVER reads validates or propagates hdr.length. hdr.length is HCI-specified total byte count of event params = natural upper bound for every variable-length sub-parser(num_compl_pkts pairs inquiry/rssi arrays command_complete return params). Dropped -> each sub-parser trusts separate in-band count with no cross-check or relies on KKASSERT panic-on-short. Root cause enabler for DF-0558/0559/0560. Fix: validate hdr.length<=pkthdr.len-sizeof(hdr), pass down, cap variable loops by remaining length.