https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284643
Bug ID: 284643 Summary: uath_cmdeof() NULL dereference Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: r...@lcs.mit.edu dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the Atheros USB wireless card, treating the replies to different commands differently. It decides what to do based on the card's claim about what the original request was: hdr = (struct uath_cmd_hdr *)cmd->buf; ...; switch (hdr->code & 0xff) { A USB device pretending to be a uath can cause trouble if the driver sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets cmd->odata = NULL since no reply data is expected. But if the device sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash: case WDCMSG_TARGET_START: ...; bcopy(hdr+1, cmd->odata, sizeof(uint32_t)); -- You are receiving this mail because: You are the assignee for the bug.