[Bug 284920] wild pointer dereference in if_umb.c umb_decap()

bugzilla-noreply Sun, 23 Feb 2025 12:54:17 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284920


--- Comment #1 from Robert Morris <r...@lcs.mit.edu> ---
And later, umb_decap() pulls dlen and doff out of a message sent by
the USB device, and uses doff to form a pointer without a sanity
check:

                dgram32 = (struct ncm_pointer32_dgram *)
                    (buf + ptroff + dgentryoff);
                ...;
                dlen = UGETDW(dgram32->dwDatagramLen);
                doff = UGETDW(dgram32->dwDatagramIndex);
                ...;
                dp = buf + doff;
                ...;
                m = m_devget(dp, dlen, 0, ifp, NULL);

A malicious USB device could cause the wrong memory to be copied, or a
page fault.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 284920] wild pointer dereference in if_umb.c umb_decap()

Reply via email to