DragonFlyBSD Kernel Audit
← dashboard
DF-0567

Memory leak of in-progress reassembly mbuf when new ACL START arrives

Summary

hci_acl_recv HCI_PACKET_START case(:471-485): when link->hl_rxp!=NULL code logs "dropped incomplete ACL packet"(:472-474) but NEVER frees hl_rxp. Falls through to link->hl_rxp=m(:483) overwriting pointer orphaning previous reassembly mbuf chain. Each event leaks one mbuf chain up to L2CAP_MTU_MAXIMUM+ bytes. Repeatable to exhaust mbuf/kmem pools slow DoS. Fix: if(hl_rxp!=NULL) m_freem(hl_rxp) before hl_rxp=m.