Bug 284643

Summary: uath_cmdeof() NULL dereference
Product: Base System Reporter: Robert Morris <rtm>
Component: wirelessAssignee: freebsd-wireless (Nobody) <wireless>
Status: In Progress ---    
Severity: Affects Some People CC: jlduran
Priority: --- Flags: jlduran: mfc-stable14?
jlduran: mfc-stable13?
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Robert Morris 2025-02-07 19:09:46 UTC 
dev/usb/wlan/if_uath.c's uath_cmdeof() handles replies from the
Atheros USB wireless card, treating the replies to different commands
differently. It decides what to do based on the card's claim about
what the original request was:

        hdr = (struct uath_cmd_hdr *)cmd->buf;
        ...;
        switch (hdr->code & 0xff) {

A USB device pretending to be a uath can cause trouble if the driver
sends a WDCMSG_HOST_AVAILABLE command. In that case, the driver sets
cmd->odata = NULL since no reply data is expected. But if the device
sets hdr->code to WDCMSG_TARGET_START, this bcopy will crash:

        case WDCMSG_TARGET_START:
          ...;
          bcopy(hdr+1, cmd->odata, sizeof(uint32_t));
Comment 1 Jose Luis Duran freebsd_committer freebsd_triage 2025-02-11 21:03:02 UTC 
Naive attempt to avoid the bug:
https://reviews.freebsd.org/D48948
Comment 2 commit-hook freebsd_committer freebsd_triage 2025-02-12 15:35:13 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4

commit 4b77a9a80cf8a9cba5607d8d8fa0742334dcf0f4
Author:     Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-02-12 15:31:43 +0000
Commit:     Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-02-12 15:33:26 +0000

    uath: Avoid a NULL dereference

    PR:             284643
    Reviewed by:    adrian
    Approved by:    emaste (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D48948

 sys/dev/usb/wlan/if_uath.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)