Date: Tue, 18 Feb 2025 10:58:41 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 284876] two problems in if_upgt.c Message-ID: <bug-284876-21060@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284876 Bug ID: 284876 Summary: two problems in if_upgt.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: rtm@lcs.mit.edu 1) upgt_tx_done() in if_upgt.c unlocks: if (freed != 0) { UPGT_UNLOCK(sc); ...; upgt_start(sc); UPGT_LOCK(sc); } but upgt_start() starts with: UPGT_ASSERT_LOCKED(sc); 2) A malicious USB device can cause a buffer overflow in upgt_rxeof(), since eeprom->offset and eeprom->len (and the copied bytes in data->buf) are supplied by the device, but sc->sc_eeprom is only 2*8192 bytes long. if (h1_type == UPGT_H1_TYPE_CTRL && h2_type == UPGT_H2_TYPE_EEPROM) { eeprom = (struct upgt_lmac_eeprom *)(data->buf + 4); uint16_t eeprom_offset = le16toh(eeprom->offset); uint16_t eeprom_len = le16toh(eeprom->len); ...; memcpy(sc->sc_eeprom + eeprom_offset, data->buf + sizeof(struct upgt_lmac_eeprom) + 4, eeprom_len); #define UPGT_EEPROM_SIZE 8192 uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4); -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284876-21060>