[Bug 254479] Kernel remote heap overflow in Realtek RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards USB driver
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Mar 22 15:20:36 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #4 from Tommaso <cutesmilee.research at protonmail.com> ---
(In reply to Tommaso from comment #3)
static int
rsu_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
const struct ieee80211_bpf_params *params)
{
struct ieee80211com *ic = ni->ni_ic;
struct rsu_softc *sc = ic->ic_softc;
struct rsu_data *bf;
/* prevent management frames from being sent if we're not ready */
if (!sc->sc_running) { // no lock is taken
m_freem(m);
return (ENETDOWN);
}
RSU_LOCK(sc); // locks
bf = rsu_getbuf(sc);
if (bf == NULL) {
m_freem(m);
RSU_UNLOCK(sc); // unlocks only after the if and the free
return (ENOBUFS);
}
if (rsu_tx_start(sc, ni, m, bf) != 0) {
m_freem(m);
rsu_freebuf(sc, bf);
RSU_UNLOCK(sc); // same here
return (EIO);
}
RSU_UNLOCK(sc); // unlocks if no error occurred
return (0);
}
for example in rum driver a lock is taken:
static int
rum_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
const struct ieee80211_bpf_params *params)
{
struct rum_softc *sc = ni->ni_ic->ic_softc;
int ret;
RUM_LOCK(sc); // lock taken before checking sc_running value
/* prevent management frames from being sent if we're not ready */
if (!sc->sc_running) {
ret = ENETDOWN;
goto bad;
}
if (sc->tx_nfree < RUM_TX_MINFREE) {
ret = EIO;
goto bad;
}
if (params == NULL) {
/*
* Legacy path; interpret frame contents to decide
* precisely how to send the frame.
*/
if ((ret = rum_tx_mgt(sc, m, ni)) != 0)
goto bad;
} else {
/*
* Caller supplied explicit parameters to use in
* sending the frame.
*/
if ((ret = rum_tx_raw(sc, m, ni, params)) != 0)
goto bad;
}
RUM_UNLOCK(sc);
return 0;
bad:
RUM_UNLOCK(sc);
m_freem(m);
return ret;
}
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-wireless
mailing list