https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284876

            Bug ID: 284876
           Summary: two problems in if_upgt.c
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: r...@lcs.mit.edu

1) upgt_tx_done() in if_upgt.c unlocks:

        if (freed != 0) {
                UPGT_UNLOCK(sc);
                ...;
                upgt_start(sc);
                UPGT_LOCK(sc);
        }

but upgt_start() starts with:

        UPGT_ASSERT_LOCKED(sc);

2) A malicious USB device can cause a buffer overflow in upgt_rxeof(),
since eeprom->offset and eeprom->len (and the copied bytes in
data->buf) are supplied by the device, but sc->sc_eeprom is only
2*8192 bytes long.

        if (h1_type == UPGT_H1_TYPE_CTRL && h2_type == UPGT_H2_TYPE_EEPROM) {
                eeprom = (struct upgt_lmac_eeprom *)(data->buf + 4);
                uint16_t eeprom_offset = le16toh(eeprom->offset);
                uint16_t eeprom_len = le16toh(eeprom->len);

                ...;

                memcpy(sc->sc_eeprom + eeprom_offset,
                    data->buf + sizeof(struct upgt_lmac_eeprom) + 4,
                    eeprom_len);

#define UPGT_EEPROM_SIZE                8192
        uint8_t                  sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4);

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to