dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the Atheros USB wireless card, treating the replies to different commands differently. It decides what to do based on the card's claim about what the original request was: hdr = (struct uath_cmd_hdr *)cmd->buf; ...; switch (hdr->code & 0xff) { A USB device pretending to be a uath can cause trouble if the driver sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets cmd->odata = NULL since no reply data is expected. But if the device sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash: case WDCMSG_TARGET_START: ...; bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
Naive attempt to avoid the bug: https://reviews.freebsd.org/D48948
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4 commit 4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4 Author: Jose Luis Duran <jlduran@FreeBSD.org> AuthorDate: 2025-02-12 15:31:43 +0000 Commit: Jose Luis Duran <jlduran@FreeBSD.org> CommitDate: 2025-02-12 15:33:26 +0000 uath: Avoid a NULL dereference PR: 284643 Reviewed by: adrian Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D48948 sys/dev/usb/wlan/if_uath.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)