https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284876
Bug ID: 284876 Summary: two problems in if_upgt.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: r...@lcs.mit.edu 1) upgt_tx_done() in if_upgt.c unlocks: if (freed != 0) { UPGT_UNLOCK(sc); ...; upgt_start(sc); UPGT_LOCK(sc); } but upgt_start() starts with: UPGT_ASSERT_LOCKED(sc); 2) A malicious USB device can cause a buffer overflow in upgt_rxeof(), since eeprom->offset and eeprom->len (and the copied bytes in data->buf) are supplied by the device, but sc->sc_eeprom is only 2*8192 bytes long. if (h1_type == UPGT_H1_TYPE_CTRL && h2_type == UPGT_H2_TYPE_EEPROM) { eeprom = (struct upgt_lmac_eeprom *)(data->buf + 4); uint16_t eeprom_offset = le16toh(eeprom->offset); uint16_t eeprom_len = le16toh(eeprom->len); ...; memcpy(sc->sc_eeprom + eeprom_offset, data->buf + sizeof(struct upgt_lmac_eeprom) + 4, eeprom_len); #define UPGT_EEPROM_SIZE 8192 uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4); -- You are receiving this mail because: You are the assignee for the bug.