Date: Mon, 5 Dec 2011 18:10:43 +0000 (UTC) From: Pyun YongHyeon <yongari@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r228286 - head/sys/dev/ed Message-ID: <201112051810.pB5IAhgg051862@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: yongari Date: Mon Dec 5 18:10:43 2011 New Revision: 228286 URL: http://svn.freebsd.org/changeset/base/228286 Log: Fix off by one error in mbuf access. Previously it caused panic. While I'm here use NULL to compare mbuf pointer and add additional check for zero length mbuf before accessing the mbuf. PR: kern/162932 Modified: head/sys/dev/ed/if_ed.c Modified: head/sys/dev/ed/if_ed.c ============================================================================== --- head/sys/dev/ed/if_ed.c Mon Dec 5 17:44:12 2011 (r228285) +++ head/sys/dev/ed/if_ed.c Mon Dec 5 18:10:43 2011 (r228286) @@ -1709,12 +1709,19 @@ ed_shmem_write_mbufs(struct ed_softc *sc break; } } - for (len = 0; m != 0; m = m->m_next) { - if (sc->isa16bit) - bus_space_write_region_2(sc->mem_bst, - sc->mem_bsh, dst, - mtod(m, uint16_t *), (m->m_len + 1)/ 2); - else + for (len = 0; m != NULL; m = m->m_next) { + if (m->m_len == 0) + continue; + if (sc->isa16bit) { + if (m->m_len > 1) + bus_space_write_region_2(sc->mem_bst, + sc->mem_bsh, dst, + mtod(m, uint16_t *), m->m_len / 2); + if ((m->m_len & 1) != 0) + bus_space_write_1(sc->mem_bst, sc->mem_bsh, + dst + m->m_len - 1, + *(mtod(m, uint8_t *) + m->m_len - 1)); + } else bus_space_write_region_1(sc->mem_bst, sc->mem_bsh, dst, mtod(m, uint8_t *), m->m_len);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112051810.pB5IAhgg051862>