[Bug 284718] wild pointer when rsu_event_addba_req_report() calls ieee80211_ampdu_rx_start
Date: Mon, 10 Feb 2025 18:09:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284718
Bug ID: 284718
Summary: wild pointer when rsu_event_addba_req_report() calls
ieee80211_ampdu_rx_start
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: rtm@lcs.mit.edu
A USB device claiming to be an "rsu" wlan device can produce a
firmware event frame of type R92S_EVT_ADDBA_REQ_REPORT with an 8-bit
ba->tid value of whatever it wants, including e.g. 255.
if_rsu.c's rsu_event_addba_req_report() calls:
ieee80211_ampdu_rx_start_ext(ni, ba->tid, le16toh(ba->ssn) >> 4, 32);
And (as noted) that function uses tid w/o a sanity check:
ieee80211_ampdu_rx_start_ext(struct ieee80211_node *ni, int tid, int seq, int
baw)
{
struct ieee80211_rx_ampdu *rap;
/* XXX TODO: sanity check tid, seq, baw */
rap = &ni->ni_rx_ampdu[tid];
ni_rx_ampdu[] has only 16 entries, so rap, which is written through,
points to somewhere it shouldn't.
#0 ieee80211_ampdu_rx_start_ext (ni=0xffffffc094cdb000, tid=255,
seq=<optimized out>, baw=<optimized out>)
at /usr/rtm/symbsd/src/sys/net80211/ieee80211_ht.c:732
#1 0xffffffc0002839a8 in rsu_event_addba_req_report (sc=0xffffffc001731000,
buf=<optimized out>, len=13332)
at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2173
#2 rsu_rx_event (sc=0xffffffc001731000, buf=<optimized out>,
code=<optimized out>, len=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2234
#3 rsu_rx_multi_event (sc=0xffffffc001731000,
buf=0xffffffc094c7b018 "\0244\031", len=30696)
at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2266
#4 rsu_rxeof (xfer=<optimized out>, data=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2545
#5 rsu_bulk_rx_callback (xfer=0xffffffc094ccb148, error=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2569
#6 0xffffffc000259b7e in usbd_callback_wrapper (pq=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482
#7 0xffffffc00025acbe in usb_command_wrapper (pq=0xffffffc094ccb060,
xfer=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188
#8 0xffffffc000259d22 in usb_callback_proc (_pm=<optimized out>)
at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345
(gdb) print tid
$1 = 255
(gdb) print sizeof(ni->ni_rx_ampdu) / sizeof(ni->ni_rx_ampdu[0])
$2 = 16
--
You are receiving this mail because:
You are the assignee for the bug.