diff options
| author | sephe <sephe@FreeBSD.org> | 2007-04-19 13:09:57 +0000 |
|---|---|---|
| committer | sephe <sephe@FreeBSD.org> | 2007-04-19 13:09:57 +0000 |
| commit | f9d2951cadf7da6eb5345a1c593b6389e5abe53b (patch) | |
| tree | fc56ac28bfefae2cf5891d951a7412389926f895 /sys/dev/usb/if_ural.c | |
| parent | e8a77bd9270dfbfa30aa44607f5f3ecb4e70ee3e (diff) | |
| download | FreeBSD-src-f9d2951cadf7da6eb5345a1c593b6389e5abe53b.zip FreeBSD-src-f9d2951cadf7da6eb5345a1c593b6389e5abe53b.tar.gz | |
- Fix mbuf/node leakage in drivers' raw_xmit().
- For ural(4):
o Fix node leakage in ural_start(), if ural_tx_mgt() fails.
o Fix mbuf leakage in ural_tx_{mgt,data}(), if usbd_transfer() fails.
o In ural_tx_{mgt,data}(), set ural_tx_data.{m,ni} to NULL, if
usbd_transfer() fails, so they will not be freed again in ural_stop().
Approved by: sam (mentor)
Diffstat (limited to 'sys/dev/usb/if_ural.c')
| -rw-r--r-- | sys/dev/usb/if_ural.c | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/sys/dev/usb/if_ural.c b/sys/dev/usb/if_ural.c index f9bcf1e..6173f18 100644 --- a/sys/dev/usb/if_ural.c +++ b/sys/dev/usb/if_ural.c @@ -1222,8 +1222,12 @@ ural_tx_mgt(struct ural_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) ural_txeof); error = usbd_transfer(data->xfer); - if (error != USBD_NORMAL_COMPLETION && error != USBD_IN_PROGRESS) + if (error != USBD_NORMAL_COMPLETION && error != USBD_IN_PROGRESS) { + m_freem(m0); + data->m = NULL; + data->ni = NULL; return error; + } sc->tx_queued++; @@ -1246,8 +1250,10 @@ ural_tx_raw(struct ural_softc *sc, struct mbuf *m0, struct ieee80211_node *ni, rate = params->ibp_rate0 & IEEE80211_RATE_VAL; /* XXX validate */ - if (rate == 0) + if (rate == 0) { + m_freem(m0); return EINVAL; + } if (bpf_peers_present(sc->sc_drvbpf)) { struct ural_tx_radiotap_header *tap = &sc->sc_txtap; @@ -1379,8 +1385,12 @@ ural_tx_data(struct ural_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) ural_txeof); error = usbd_transfer(data->xfer); - if (error != USBD_NORMAL_COMPLETION && error != USBD_IN_PROGRESS) + if (error != USBD_NORMAL_COMPLETION && error != USBD_IN_PROGRESS) { + m_freem(m0); + data->m = NULL; + data->ni = NULL; return error; + } sc->tx_queued++; @@ -1411,9 +1421,10 @@ ural_start(struct ifnet *ifp) if (bpf_peers_present(ic->ic_rawbpf)) bpf_mtap(ic->ic_rawbpf, m0); - if (ural_tx_mgt(sc, m0, ni) != 0) + if (ural_tx_mgt(sc, m0, ni) != 0) { + ieee80211_free_node(ni); break; - + } } else { if (ic->ic_state != IEEE80211_S_RUN) break; @@ -2310,10 +2321,15 @@ ural_raw_xmit(struct ieee80211_node *ni, struct mbuf *m, struct ural_softc *sc = ifp->if_softc; /* prevent management frames from being sent if we're not ready */ - if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) + if (!(ifp->if_drv_flags & IFF_DRV_RUNNING)) { + m_freem(m); + ieee80211_free_node(ni); return ENETDOWN; + } if (sc->tx_queued >= RAL_TX_LIST_COUNT) { ifp->if_drv_flags |= IFF_DRV_OACTIVE; + m_freem(m); + ieee80211_free_node(ni); return EIO; } |
