https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284643
Bug ID: 284643
Summary: uath_cmdeof() NULL dereference
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: r...@lcs.mit.edu
dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the
Atheros USB wireless card, treating the replies to different commands
differently. It decides what to do based on the card's claim about
what the original request was:
hdr = (struct uath_cmd_hdr *)cmd->buf;
...;
switch (hdr->code & 0xff) {
A USB device pretending to be a uath can cause trouble if the driver
sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets
cmd->odata = NULL since no reply data is expected. But if the device
sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash:
case WDCMSG_TARGET_START:
...;
bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
--
You are receiving this mail because:
You are the assignee for the bug.
