Re: state of netbt

To: Iain Hibbert <plunky%ogmig.net@localhost>, "tech-net%NetBSD.org@localhost" <tech-net%netbsd.org@localhost>
Subject: Re: state of netbt
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 4 Aug 2018 08:53:50 +0200

Le 03/08/2018 à 20:37, Iain Hibbert a écrit :

Hi

Can you explain the horror you are experiencing?


Not "experiencing" strictly speaking (I don't use bluetooth devices), but
a few months ago I scroll-read through the code and found problems.

Eg in hci_event_num_compl_pkts(), the three first lines of the loop:

386 	while (ep.num_con_handles--) {
387 		m_copydata(m, 0, sizeof(handle), &handle);
388 		m_adj(m, sizeof(handle));

Here there is no length check, the kernel can crash in m_copydata.

References:
- state of netbt
  - From: Maxime Villard

Prev by Date: Re: WiFi Refresh -- Report 3
Next by Date: Bug in urtwn_llt_init()?
Previous by Thread: Re: state of netbt
Next by Thread: Re: state of netbt
Indexes:

Home | Main Index | Thread Index | Old Index