https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284643

            Bug ID: 284643
           Summary: uath_cmdeof() NULL dereference
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: r...@lcs.mit.edu

dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the
Atheros USB wireless card, treating the replies to different commands
differently. It decides what to do based on the card's claim about
what the original request was:

        hdr = (struct uath_cmd_hdr *)cmd->buf;
        ...;
        switch (hdr->code & 0xff) {

A USB device pretending to be a uath can cause trouble if the driver
sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets
cmd->odata = NULL since no reply data is expected. But if the device
sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash:

        case WDCMSG_TARGET_START:
          ...;
          bcopy(hdr+1, cmd->odata, sizeof(uint32_t));

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to