diff options
| author | silby <silby@FreeBSD.org> | 2005-06-23 04:34:43 +0000 |
|---|---|---|
| committer | silby <silby@FreeBSD.org> | 2005-06-23 04:34:43 +0000 |
| commit | 3c6267e11deff4f879133acb2c3fd807bc107d88 (patch) | |
| tree | 3e8ab18cdb214946b891325290e411504e320729 /sys/dev/iwi | |
| parent | cbb0f23931a7bdcc93f3eb371c7c91961adf2175 (diff) | |
| download | FreeBSD-src-3c6267e11deff4f879133acb2c3fd807bc107d88.zip FreeBSD-src-3c6267e11deff4f879133acb2c3fd807bc107d88.tar.gz | |
Fix a read mbuf-after-free error in the iwi driver that was provoked by
the trash allocator being used on mbufs.
Reviewed by: damien
Approved by: re (scottl)
Diffstat (limited to 'sys/dev/iwi')
| -rw-r--r-- | sys/dev/iwi/if_iwi.c | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/sys/dev/iwi/if_iwi.c b/sys/dev/iwi/if_iwi.c index d5a1bc4..e6aa051 100644 --- a/sys/dev/iwi/if_iwi.c +++ b/sys/dev/iwi/if_iwi.c @@ -1344,7 +1344,7 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) { struct iwi_softc *sc = ifp->if_softc; struct ieee80211com *ic = &sc->sc_ic; - struct ieee80211_frame *wh; + struct ieee80211_frame wh; struct ieee80211_key *k; struct iwi_tx_data *data; struct iwi_tx_desc *desc; @@ -1352,14 +1352,11 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) bus_dma_segment_t segs[IWI_MAX_NSEG]; int nsegs, error, i; - wh = mtod(m0, struct ieee80211_frame *); - if (wh->i_fc[1] & IEEE80211_FC1_WEP) { + bcopy(mtod(m0, struct ieee80211_frame *), &wh, sizeof (struct ieee80211_frame)); + if (wh.i_fc[1] & IEEE80211_FC1_WEP) { k = ieee80211_crypto_encap(ic, ni, m0); if (k == NULL) return ENOBUFS; - - /* packet header may have moved, reset our local pointer */ - wh = mtod(m0, struct ieee80211_frame *); } if (sc->sc_drvbpf != NULL) { @@ -1413,15 +1410,15 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) desc->hdr.flags = IWI_HDR_FLAG_IRQ; desc->cmd = IWI_DATA_CMD_TX; desc->len = htole16(m0->m_pkthdr.len); - memcpy(&desc->wh, wh, sizeof (struct ieee80211_frame)); + memcpy(&desc->wh, &wh, sizeof (struct ieee80211_frame)); desc->flags = 0; - if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) + if (!IEEE80211_IS_MULTICAST(wh.i_addr1)) desc->flags |= IWI_DATA_FLAG_NEED_ACK; #if 0 if (ic->ic_flags & IEEE80211_F_PRIVACY) { - wh->i_fc[1] |= IEEE80211_FC1_WEP; + wh.i_fc[1] |= IEEE80211_FC1_WEP; desc->wep_txkey = ic->ic_crypto.cs_def_txkey; } else #endif |
