diff options
author | yongari <yongari@FreeBSD.org> | 2010-10-14 18:31:40 +0000 |
---|---|---|
committer | yongari <yongari@FreeBSD.org> | 2010-10-14 18:31:40 +0000 |
commit | 92023f4cc9e471aa4ad6bf4362c248d8f173e46a (patch) | |
tree | a0e4e25c77486cf23be8641eed71e4b366b6078f /sys/dev/bce | |
parent | a4ebafd9602a429881d9def23f17e029dcc762ce (diff) | |
download | FreeBSD-src-92023f4cc9e471aa4ad6bf4362c248d8f173e46a.zip FreeBSD-src-92023f4cc9e471aa4ad6bf4362c248d8f173e46a.tar.gz |
Make sure to not use stale ip/tcp header pointers. The ip/tcp
header parser uses m_pullup(9) to get access to mbuf chain.
m_pullup(9) can allocate new mbuf chain and free old one if the
space left in the mbuf chain is not enough to hold requested
contiguous bytes. Previously drivers can use stale ip/tcp header
pointer if m_pullup(9) returned new mbuf chain.
Reported by: Andrew Boyer (aboyer <> averesystems dot com)
MFC after: 10 days
Diffstat (limited to 'sys/dev/bce')
-rw-r--r-- | sys/dev/bce/if_bce.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/dev/bce/if_bce.c b/sys/dev/bce/if_bce.c index 5cc8157..9d098cc 100644 --- a/sys/dev/bce/if_bce.c +++ b/sys/dev/bce/if_bce.c @@ -6736,6 +6736,7 @@ bce_tso_setup(struct bce_softc *sc, struct mbuf **m_head, u16 *flags) } /* Get the TCP header length in bytes (min 20) */ + ip = (struct ip *)(m->m_data + sizeof(struct ether_header)); th = (struct tcphdr *)((caddr_t)ip + ip_hlen); tcp_hlen = (th->th_off << 2); @@ -6748,6 +6749,7 @@ bce_tso_setup(struct bce_softc *sc, struct mbuf **m_head, u16 *flags) } /* IP header length and checksum will be calc'd by hardware */ + ip = (struct ip *)(m->m_data + sizeof(struct ether_header)); ip_len = ip->ip_len; ip->ip_len = 0; ip->ip_sum = 0; |