From owner-freebsd-bugs Fri Jun 28 13:30:12 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4631137B401 for ; Fri, 28 Jun 2002 13:30:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 717B443E0A for ; Fri, 28 Jun 2002 13:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5SKU2JU011796 for ; Fri, 28 Jun 2002 13:30:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5SKU2l4011795; Fri, 28 Jun 2002 13:30:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4AF737B400 for ; Fri, 28 Jun 2002 13:25:36 -0700 (PDT) Received: from kjell.utb.falun.se (gw2.falun.se [192.121.234.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id E27E343E06 for ; Fri, 28 Jun 2002 13:25:35 -0700 (PDT) (envelope-from root@kjell.utb.falun.se) Received: by kjell.utb.falun.se (Postfix, from userid 0) id 82DCA2D1; Fri, 28 Jun 2002 22:26:06 +0200 (CEST) Message-Id: <20020628202606.82DCA2D1@kjell.utb.falun.se> Date: Fri, 28 Jun 2002 22:26:06 +0200 (CEST) From: elias@kjell.utb.falun.se Reply-To: elias@kjell.utb.falun.se To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/39960: wi driver can cause system crash when trying to handle negative value for WI_RID_TX_CRYPT_KEY Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39960 >Category: kern >Synopsis: wi driver can cause system crash when trying to handle negative value for WI_RID_TX_CRYPT_KEY >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 28 13:30:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Elias Norberg >Release: FreeBSD 4.6-RELEASE i386 >Organization: >Environment: System: FreeBSD node23 4.6-RELEASE FreeBSD 4.6-RELEASE #1: Sat Jun 22 16:22:28 CEST 2002 root@node23:/usr/src/sys/compile/FreeBSD i386 >Description: When executing the following command on a computer with the 3CRWE777A wireless device, the system crashes: wicontrol -T 0 In turn, wicontol executes the following code: (this code has been shortened down to show the cause of the problem) ---------- struct wi_req wreq; struct ifreq ifr; int sock; sock = socket(AF_INET, SOCK_DGRAM, 0); wreq.wi_type = WI_RID_TX_CRYPT_KEY; wreq.wi_len = 2; wreq.wi_val[0] = -1; bzero(&ifr, sizeof(ifr)); strcpy(ifr.ifr_name, "wi0"); ifr.ifr_data = (caddr_t)&wreq; ioctl(sock, SIOCSWAVELAN, &ifr ) close(sock); ---------- When this ioctl is executed, the system crashes, due to an illegal value being written to the wireless card. >How-To-Repeat: See above for a complete code-snippet which reproduces this, alternatively, try executing 'wicontrol -T 0'. >Fix: Below is a patch for sys/dev/wi/if_wi.c from 4.6-RELEASE. This takes care of the problem, and shouldnt break anything, since the standard values range from 0 to 3. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message