Note: There was a bad value `' for the field `Priority'.
	It was set to the default value of `medium'.

>Number:         34634
>Category:       kern
>Synopsis:       SCO crash in ubt.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 27 02:30:00 +0000 2006
>Originator:     Jose Vasconcellos
>Release:        NetBSD 4.0_BETA
>Organization:
	
>Environment:
	
	
System: NetBSD jose-PC 4.0_BETA NetBSD 4.0_BETA (OPTKERNEL) #2: Tue Sep 26 12:23:54 EDT 2006 jose@jose-PC:/usr/obj/sys/arch/i386/compile/OPTKERNEL i386
Architecture: i386
Machine: i386
>Description:
	
When attempting to play an audio file to a headset (e.g. audioplay)
the program hangs or NetBSD crashes (if sysctl -w hw.ubt0.config=2)
This has been duplicated on the GENERIC kernel with Broadcom and CSR
USB dongles.

If hw.ubt0.config=0, SCO connection is established and 8 SCO frames
are sent, then the application hangs.

If hw.ubt0.config=2, SCO connection is established and NetBSD crashes.
The debugger shows that it is trying to do a memcpy with a NULL ptr
that is called from ubt_xmit_sco_start1.
>How-To-Repeat:
	
btconfig -v ubt0 class 0x3e0100
btconfig -v ubt0 scomtu 48
btpin -a headset -p 0000
btdevctl -d ubt0 -a headset -s HSET -A
# the following line causes a crash when audioplay is executed
sysctl -w hw.ubt0.config=2
bthset -m /dev/mixer1 -c 1 -v
audioplay -f -s 8000 -c 1 -P 16 -e slinear_le -d /dev/audio1 sound.au
>Fix:
	

>Unformatted: