[Bug 284876] two problems in if_upgt.c
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284876] two problems in if_upgt.c"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284876] two problems in if_upgt.c"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284876] two problems in if_upgt.c"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284876] two problems in if_upgt.c"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 18 Feb 2025 10:58:41 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284876
Bug ID: 284876
Summary: two problems in if_upgt.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: rtm@lcs.mit.edu
1) upgt_tx_done() in if_upgt.c unlocks:
if (freed != 0) {
UPGT_UNLOCK(sc);
...;
upgt_start(sc);
UPGT_LOCK(sc);
}
but upgt_start() starts with:
UPGT_ASSERT_LOCKED(sc);
2) A malicious USB device can cause a buffer overflow in upgt_rxeof(),
since eeprom->offset and eeprom->len (and the copied bytes in
data->buf) are supplied by the device, but sc->sc_eeprom is only
2*8192 bytes long.
if (h1_type == UPGT_H1_TYPE_CTRL && h2_type == UPGT_H2_TYPE_EEPROM) {
eeprom = (struct upgt_lmac_eeprom *)(data->buf + 4);
uint16_t eeprom_offset = le16toh(eeprom->offset);
uint16_t eeprom_len = le16toh(eeprom->len);
...;
memcpy(sc->sc_eeprom + eeprom_offset,
data->buf + sizeof(struct upgt_lmac_eeprom) + 4,
eeprom_len);
#define UPGT_EEPROM_SIZE 8192
uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4);
--
You are receiving this mail because:
You are the assignee for the bug.