From nobody Mon Feb 10 18:09:06 2025
X-Original-To: wireless@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YsCJL5FKnz5mWvy
	for <wireless@mlmmj.nyi.freebsd.org>; Mon, 10 Feb 2025 18:09:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YsCJL4LcDz3b7c
	for <wireless@FreeBSD.org>; Mon, 10 Feb 2025 18:09:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739210946;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RvVnp0wieC+txL21nQBllCbxxpIPupxJGzlmZpX3g4w=;
	b=EkA/nHcTi5MKOHpYJvgsyk9qVEU6hQLk0qM2tCpXwM9Wm2UUrCfHCdqfQc+FDvJtwCj3oh
	YpUZ6farLQHCY1Bg4UHdkDMHSbudGF6g2lpSi2FH1rRyq4Hz22VQFIanjAin4MVaycGVR/
	PdREnanSMSPusdBddszX91Vtlo+0pDwnYMGrpz41iWY+9C2rPmydgtIvyy/+7DuYPiFUPy
	d5C+4eD1dfs6JsGYW52HJvuafhjcFez6lKzdVSwQ76uNITCAYhyxxwFh8VQQDCSa6g2ly0
	Zig/k4tqB/Y+Rqqmn421sdS+mqyizT+l6gy74HIFpvCYVm+jOzU527Wq/XRJgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739210946;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RvVnp0wieC+txL21nQBllCbxxpIPupxJGzlmZpX3g4w=;
	b=EGEHvhe8a47GNNlzHYrrsItw4hPNYJkcul7e5DhZTMBLdfJ59vVRRND9OlHaJpSW9At6Ta
	RRNa78GHhUwEwCUsanosAayEP0nDs2nHhBDC9qrgsaqhBYL7r9SJ+XESL7r7E8gt18gaX2
	t8BZ8DG7wUf3qGwC8Bn8Pxk4OI5Va8EY6eTdR5ewAoNXgmCQZ4oB8Y1QxgWN7Wfjs48ld6
	Nq5hAQa/hVPVRYvGaegkfI8a2NdVDM3vyY0mnKn8V78YZTnNYPUFOh1q+FkUrE1NWhAolZ
	QASjQDXAHwm0DcysvY9zYfueOWJ+oJzHpzPhRbYcHoRmVjwuS2Wh5JiGfoJLTA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739210946; a=rsa-sha256; cv=none;
	b=sAB7IrVzMavVEsF9Yz1I62+FjmNW5DbqUcVN4HZsAvga0U4w62Z4AcG4JhA9tWOvAmfCQw
	PZeJwmoNKNremUhJxMTgybWMTkLhrRFbWHJd55AUb4CGsHYzkewnauAUrY3zM8gtN0VaQ1
	LK4yWqOck+wv7NygLW2Wis+JfjQQ1TCNouUwmPwlUYe3l9v4ZN4we6wHZvfI8lc10M4dql
	0ERBxNmPqyF8LUo7pkQk0lfrpynYt/AeNVfOYE3zDQnga6eh7YUv1WST8PkE4ONb7Czzqo
	baGmtuzn42/P8IkfdQhOlZlYpKjLxPcobgSND5eFWy4OFqL9JIy3HYPpIEZCyg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YsCJL3kJgzdV4
	for <wireless@FreeBSD.org>; Mon, 10 Feb 2025 18:09:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 51AI96rn034992
	for <wireless@FreeBSD.org>; Mon, 10 Feb 2025 18:09:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 51AI96gq034991
	for wireless@FreeBSD.org; Mon, 10 Feb 2025 18:09:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: wireless@FreeBSD.org
Subject: [Bug 284718] wild pointer when rsu_event_addba_req_report() calls
 ieee80211_ampdu_rx_start
Date: Mon, 10 Feb 2025 18:09:06 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: wireless
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: wireless@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-284718-21060@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Discussions <freebsd-wireless.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-wireless
List-Help: <mailto:wireless+help@freebsd.org>
List-Post: <mailto:wireless@freebsd.org>
List-Subscribe: <mailto:wireless+subscribe@freebsd.org>
List-Unsubscribe: <mailto:wireless+unsubscribe@freebsd.org>
X-BeenThere: freebsd-wireless@freebsd.org
Sender: owner-freebsd-wireless@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284718

            Bug ID: 284718
           Summary: wild pointer when rsu_event_addba_req_report() calls
                    ieee80211_ampdu_rx_start
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

A USB device claiming to be an "rsu" wlan device can produce a
firmware event frame of type R92S_EVT_ADDBA_REQ_REPORT with an 8-bit
ba->tid value of whatever it wants, including e.g. 255.
if_rsu.c's rsu_event_addba_req_report() calls:

        ieee80211_ampdu_rx_start_ext(ni, ba->tid, le16toh(ba->ssn) >> 4, 32=
);

And (as noted) that function uses tid w/o a sanity check:

ieee80211_ampdu_rx_start_ext(struct ieee80211_node *ni, int tid, int seq, i=
nt
baw)
{
        struct ieee80211_rx_ampdu *rap;

        /* XXX TODO: sanity check tid, seq, baw */

        rap =3D &ni->ni_rx_ampdu[tid];

ni_rx_ampdu[] has only 16 entries, so rap, which is written through,
points to somewhere it shouldn't.

#0  ieee80211_ampdu_rx_start_ext (ni=3D0xffffffc094cdb000, tid=3D255,=20
    seq=3D<optimized out>, baw=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/net80211/ieee80211_ht.c:732
#1  0xffffffc0002839a8 in rsu_event_addba_req_report (sc=3D0xffffffc0017310=
00,=20
    buf=3D<optimized out>, len=3D13332)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2173
#2  rsu_rx_event (sc=3D0xffffffc001731000, buf=3D<optimized out>,=20
    code=3D<optimized out>, len=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2234
#3  rsu_rx_multi_event (sc=3D0xffffffc001731000,=20
    buf=3D0xffffffc094c7b018 "\0244\031", len=3D30696)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2266
#4  rsu_rxeof (xfer=3D<optimized out>, data=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2545
#5  rsu_bulk_rx_callback (xfer=3D0xffffffc094ccb148, error=3D<optimized out=
>)
    at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2569
#6  0xffffffc000259b7e in usbd_callback_wrapper (pq=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482
#7  0xffffffc00025acbe in usb_command_wrapper (pq=3D0xffffffc094ccb060,=20
    xfer=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188
#8  0xffffffc000259d22 in usb_callback_proc (_pm=3D<optimized out>)
    at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345

(gdb) print tid
$1 =3D 255
(gdb) print sizeof(ni->ni_rx_ampdu) / sizeof(ni->ni_rx_ampdu[0])
$2 =3D 16

--=20
You are receiving this mail because:
You are the assignee for the bug.=