Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Jun 2002 22:26:06 +0200 (CEST)
From:      elias@kjell.utb.falun.se
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/39960: wi driver can cause system crash when trying to handle negative value for WI_RID_TX_CRYPT_KEY
Message-ID:  <20020628202606.82DCA2D1@kjell.utb.falun.se>
next in thread | raw e-mail | index | archive | help 

>Number:         39960
>Category:       kern
>Synopsis:       wi driver can cause system crash when trying to handle negative value for WI_RID_TX_CRYPT_KEY
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 28 13:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Elias Norberg
>Release:        FreeBSD 4.6-RELEASE i386
>Organization:
>Environment:
System: FreeBSD node23 4.6-RELEASE FreeBSD 4.6-RELEASE #1: Sat Jun 22 16:22:28 CEST 2002 root@node23:/usr/src/sys/compile/FreeBSD i386

>Description:
	
	When executing the following command on a computer with
	the 3CRWE777A wireless device, the system crashes:
	
	wicontrol -T 0 

	In turn, wicontol executes the following code:
	(this code has been shortened down to show the
	 cause of the problem)
	----------
	struct wi_req wreq;
	struct ifreq ifr;
	int sock;

	sock = socket(AF_INET, SOCK_DGRAM, 0);
	wreq.wi_type = WI_RID_TX_CRYPT_KEY;
	wreq.wi_len = 2;
	wreq.wi_val[0] = -1;

	bzero(&ifr, sizeof(ifr));
	strcpy(ifr.ifr_name, "wi0");
	ifr.ifr_data = (caddr_t)&wreq;

	ioctl(sock, SIOCSWAVELAN, &ifr )

	close(sock);
	----------

	When this ioctl is executed, the system crashes, due
	to an illegal value being written to the wireless card.
	 
>How-To-Repeat:
	
	
	See above for a complete code-snippet which reproduces this,
	alternatively, try executing 'wicontrol -T 0'.
	
>Fix:
	
	Below is a patch for sys/dev/wi/if_wi.c from 4.6-RELEASE.
	This takes care of the problem, and shouldnt break anything,
	since the standard values range from 0 to 3.

	
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020628202606.82DCA2D1>