NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/51081: calling ioctl while attaching wifi device causes a jump to NULL
>Number: 51081
>Category: kern
>Synopsis: calling ioctl while attaching wifi device causes a jump to NULL
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Apr 21 05:25:00 +0000 2016
>Originator: coypu
>Release: NetBSD 7.99.27
>Organization:
>Environment:
NetBSD net.Home 7.99.27 NetBSD 7.99.27 (GENERIC) #3: Wed Apr 20 00:08:35 IDT 2016 fly%net.Home@localhost:/usr/obj.wip/sys/arch/amd64/compile/GENERIC amd64
>Description:
device is exposed before it is completely initialized.
if users try to use it, some stuff may be undefined still.
calling ioctl can induce calls like (sys/net/if_media.c:322)
(*ifm->ifm_status)(ifp, ifmr);
*ifm->ifm_status may not be defined at this point, so it becomes a jump to NULL.
>How-To-Repeat:
Attach a wifi device and be really unlucky, or while running this (may require a few attempts):
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <string.h>
struct ifmediareq {
char ifm_name[16]; /* if name, e.g. "en0" */
int ifm_current; /* current media options */
int ifm_mask; /* don't care mask */
int ifm_status; /* media status */
int ifm_active; /* active options */
int ifm_count; /* # entries in ifm_ulist
array */
int *ifm_ulist; /* media words */
};
void main() {
struct ifmediareq *ifmr;
int fd;
strlcpy(ifmr->ifm_name, "urtwn0", sizeof(ifmr->ifm_name));
fd = socket(AF_UNSPEC,SOCK_RAW, 0);
for (;;)
ioctl(fd, SIOCGIFMEDIA, &ifmr);
}
>Fix:
magically make ieee80211_media_init happen before if_attach / if_register (not possible right now?)
this probably affects all wifi devices and not just urtwn, but not all of them can be attached as easily while the machine is running.
Home |
Main Index |
Thread Index |
Old Index