https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
Tommaso changed:
What|Removed |Added
Summary|Kernel remote heap overflow |Kernel remote heap overflow
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
Adrian Chadd changed:
What|Removed |Added
Severity|Affects Some People |Affects Many People
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #1 from Mark Johnston ---
Was this analysis based on a crash you hit, or the output of some static
analysis? It is copying the mbuf contents into a buffer of size RSU_TXBUFSZ,
not of size sizeof(struct r92s_tx_desc).
--
You a
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #2 from Tommaso ---
(In reply to Mark Johnston from comment #1)
oh, haven't noticed that, this was found by static analysis, also i don't know
if it can cause an issue, but i've noticed that in the same function, while
other if
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #3 from Tommaso ---
(In reply to Tommaso from comment #2)
looking at other implementation of rum_raw_xmit() in other drivers, seems like
a lock should be taken, since all of the take one / make sure sc is locked.
--
You are re
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #4 from Tommaso ---
(In reply to Tommaso from comment #3)
static int
rsu_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
const struct ieee80211_bpf_params *params)
{
struct ieee80211com *ic = ni->ni_ic;
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
Mark Johnston changed:
What|Removed |Added
CC||ma...@freebsd.org
Stat
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
--- Comment #6 from commit-h...@freebsd.org ---
A commit in branch main references this bug:
URL:
https://cgit.FreeBSD.org/src/commit/?id=453d8a7ee2fc862f3a5e98185d57c8ad05cbc047
commit 453d8a7ee2fc862f3a5e98185d57c8ad05cbc047
Author:
