https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284718

            Bug ID: 284718
           Summary: wild pointer when rsu_event_addba_req_report() calls
                    ieee80211_ampdu_rx_start
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: r...@lcs.mit.edu

A USB device claiming to be an "rsu" wlan device can produce a
firmware event frame of type R92S_EVT_ADDBA_REQ_REPORT with an 8-bit
ba->tid value of whatever it wants, including e.g. 255.
if_rsu.c's rsu_event_addba_req_report() calls:

        ieee80211_ampdu_rx_start_ext(ni, ba->tid, le16toh(ba->ssn) >> 4, 32);

And (as noted) that function uses tid w/o a sanity check:

ieee80211_ampdu_rx_start_ext(struct ieee80211_node *ni, int tid, int seq, int
baw)
{
        struct ieee80211_rx_ampdu *rap;

        /* XXX TODO: sanity check tid, seq, baw */

        rap = &ni->ni_rx_ampdu[tid];

ni_rx_ampdu[] has only 16 entries, so rap, which is written through,
points to somewhere it shouldn't.

#0  ieee80211_ampdu_rx_start_ext (ni=0xffffffc094cdb000, tid=255, 
    seq=<optimized out>, baw=<optimized out>)
    at /usr/rtm/symbsd/src/sys/net80211/ieee80211_ht.c:732
#1  0xffffffc0002839a8 in rsu_event_addba_req_report (sc=0xffffffc001731000, 
    buf=<optimized out>, len=13332)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2173
#2  rsu_rx_event (sc=0xffffffc001731000, buf=<optimized out>, 
    code=<optimized out>, len=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2234
#3  rsu_rx_multi_event (sc=0xffffffc001731000, 
    buf=0xffffffc094c7b018 "\0244\031", len=30696)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2266
#4  rsu_rxeof (xfer=<optimized out>, data=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2545
#5  rsu_bulk_rx_callback (xfer=0xffffffc094ccb148, error=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2569
#6  0xffffffc000259b7e in usbd_callback_wrapper (pq=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482
#7  0xffffffc00025acbe in usb_command_wrapper (pq=0xffffffc094ccb060, 
    xfer=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188
#8  0xffffffc000259d22 in usb_callback_proc (_pm=<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345

(gdb) print tid
$1 = 255
(gdb) print sizeof(ni->ni_rx_ampdu) / sizeof(ni->ni_rx_ampdu[0])
$2 = 16

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to