rsu_event_addba_req_report() calls ieee80211_ampdu_rx_start Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: rtm@lcs.mit.edu A USB device claiming to be an "rsu" wlan device can produce a firmware event frame of type R92S_EVT_ADDBA_REQ_REPORT with an 8-bit ba->tid value of whatever it wants, including e.g. 255. if_rsu.c's rsu_event_addba_req_report() calls: ieee80211_ampdu_rx_start_ext(ni, ba->tid, le16toh(ba->ssn) >> 4, 32= ); And (as noted) that function uses tid w/o a sanity check: ieee80211_ampdu_rx_start_ext(struct ieee80211_node *ni, int tid, int seq, i= nt baw) { struct ieee80211_rx_ampdu *rap; /* XXX TODO: sanity check tid, seq, baw */ rap =3D &ni->ni_rx_ampdu[tid]; ni_rx_ampdu[] has only 16 entries, so rap, which is written through, points to somewhere it shouldn't. #0 ieee80211_ampdu_rx_start_ext (ni=3D0xffffffc094cdb000, tid=3D255,=20 seq=3D, baw=3D) at /usr/rtm/symbsd/src/sys/net80211/ieee80211_ht.c:732 #1 0xffffffc0002839a8 in rsu_event_addba_req_report (sc=3D0xffffffc0017310= 00,=20 buf=3D, len=3D13332) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2173 #2 rsu_rx_event (sc=3D0xffffffc001731000, buf=3D,=20 code=3D, len=3D) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2234 #3 rsu_rx_multi_event (sc=3D0xffffffc001731000,=20 buf=3D0xffffffc094c7b018 "\0244\031", len=3D30696) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2266 #4 rsu_rxeof (xfer=3D, data=3D) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2545 #5 rsu_bulk_rx_callback (xfer=3D0xffffffc094ccb148, error=3D) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2569 #6 0xffffffc000259b7e in usbd_callback_wrapper (pq=3D) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482 #7 0xffffffc00025acbe in usb_command_wrapper (pq=3D0xffffffc094ccb060,=20 xfer=3D) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188 #8 0xffffffc000259d22 in usb_callback_proc (_pm=3D) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345 (gdb) print tid $1 =3D 255 (gdb) print sizeof(ni->ni_rx_ampdu) / sizeof(ni->ni_rx_ampdu[0]) $2 =3D 16 --=20 You are receiving this mail because: You are the assignee for the bug.=