Bug 284643 - uath_cmdeof() NULL dereference
Summary: uath_cmdeof() NULL dereference
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-wireless (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-07 19:09 UTC by Robert Morris
Modified: 2025-02-19 16:27 UTC (History)
1 user (show)

See Also:
jlduran: mfc-stable14+
jlduran: mfc-stable13+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2025-02-07 19:09:46 UTC 
dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the
Atheros USB wireless card, treating the replies to different commands
differently. It decides what to do based on the card's claim about
what the original request was:

        hdr = (struct uath_cmd_hdr *)cmd->buf;
        ...;
        switch (hdr->code & 0xff) {

A USB device pretending to be a uath can cause trouble if the driver
sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets
cmd->odata = NULL since no reply data is expected. But if the device
sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash:

        case WDCMSG_TARGET_START:
          ...;
          bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
Comment 1 Jose Luis Duran freebsd_committer freebsd_triage 2025-02-11 21:03:02 UTC 
Naive attempt to avoid the bug:
https://reviews.freebsd.org/D48948
Comment 2 commit-hook freebsd_committer freebsd_triage 2025-02-12 15:35:13 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4

commit 4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-02-12 15:31:43 +0000
Commit:     Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-02-12 15:33:26 +0000

    uath: Avoid a NULL dereference

    PR:             284643
    Reviewed by:    adrian
    Approved by:    emaste (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D48948

 sys/dev/usb/wlan/if_uath.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2025-02-19 16:25:35 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fcb7c640e27088b2b6673f5cc26cbf230d0a28f

commit 9fcb7c640e27088b2b6673f5cc26cbf230d0a28f
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-02-12 15:31:43 +0000
Commit:     Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-02-19 16:24:39 +0000

    uath: Avoid a NULL dereference

    PR:             284643
    Reviewed by:    adrian
    Approved by:    emaste (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D48948

    (cherry picked from commit 4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4)

 sys/dev/usb/wlan/if_uath.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2025-02-19 16:25:36 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2dcc11d82758b0b1320dbc16c8ce30b0f8d5b4c5

commit 2dcc11d82758b0b1320dbc16c8ce30b0f8d5b4c5
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-02-12 15:31:43 +0000
Commit:     Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-02-19 16:23:59 +0000

    uath: Avoid a NULL dereference

    PR:             284643
    Reviewed by:    adrian
    Approved by:    emaste (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D48948

    (cherry picked from commit 4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4)

 sys/dev/usb/wlan/if_uath.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
Comment 5 Jose Luis Duran freebsd_committer freebsd_triage 2025-02-19 16:26:05 UTC 
Thank you!