ACL reassembly want is uint16_t: overshoot wraps -> L2CAP RX stall + unbounded memory growth
Summary
want declared uint16_t(:421). Computed want=letoh16(want)+sizeof(l2cap_hdr_t)-got(:509) in mixed int/size_t then truncated 16 bits. When accumulated got exceeds claimed L2CAP frame size(l2cap_len+4) — happens when HCI ACL START overshoots L2CAP boundary or fragments overshoot — subtraction goes negative wraps to large uint16_t. if(want>0)return(:511) taken forever after: (1) completed frame stuck in hl_rxp never delivered L2CAP traffic stalled DoS; (2) every subsequent FRAGMENT m_cat onto hl_rxp no upper bound(:495-498) kernel memory grows unbounded M_BLUETOOTH. Trigger: malicious/buggy USB BT dongle or controller firmware defect inducible by remote peer. Fix: declare int want(signed 32-bit) gate on signed value, trim overshoot via m_adj reprocess trailing bytes as fresh START, enforce hard cap on hl_rxp growth.