diff options
author | bmilekic <bmilekic@FreeBSD.org> | 2000-12-15 21:06:55 +0000 |
---|---|---|
committer | bmilekic <bmilekic@FreeBSD.org> | 2000-12-15 21:06:55 +0000 |
commit | e9d51c0803304de86917105a749c982aa3159aa2 (patch) | |
tree | b2cb0f1e81452c071d164d341e3d7d816aa46e3f /sys/pci | |
parent | 656396e81a09897de7bc5b03a489970469295171 (diff) | |
download | FreeBSD-src-e9d51c0803304de86917105a749c982aa3159aa2.zip FreeBSD-src-e9d51c0803304de86917105a749c982aa3159aa2.tar.gz |
Make sure to check if MGET(HDR) returned NULL, even when called with M_WAIT.
This fixes the possibility of a NULL pointer dereference in the case where
there are no mbufs or mbuf clusters left.
Approved by: phk
Diffstat (limited to 'sys/pci')
-rw-r--r-- | sys/pci/if_mn.c | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/sys/pci/if_mn.c b/sys/pci/if_mn.c index 04ba311..43ac489 100644 --- a/sys/pci/if_mn.c +++ b/sys/pci/if_mn.c @@ -606,6 +606,8 @@ ngmn_connect(hook_p hook) /* XXX: we actually send a 1 byte packet */ dp = mn_alloc_desc(); MGETHDR(m, M_WAIT, MT_DATA); + if (m == NULL) + return ENOBUFS; m->m_pkthdr.len = 0; dp->m = m; dp->flags = 0xc0000000 + (1 << 16); @@ -619,8 +621,18 @@ ngmn_connect(hook_p hook) /* Setup a receive chain with 5 + NTS descriptors */ dp = mn_alloc_desc(); + m = NULL; MGETHDR(m, M_WAIT, MT_DATA); + if (m == NULL) { + mn_free_desc(dp); + return (ENOBUFS); + } MCLGET(m, M_WAIT); + if ((m->m_flags & M_EXT) == 0) { + mn_free_desc(dp); + m_freem(m); + return (ENOBUFS); + } dp->m = m; dp->data = vtophys(m->m_data); dp->flags = 0x40000000; @@ -632,8 +644,19 @@ ngmn_connect(hook_p hook) for (i = 0; i < (nts + 10); i++) { dp2 = dp; dp = mn_alloc_desc(); + m = NULL; MGETHDR(m, M_WAIT, MT_DATA); + if (m == NULL) { + mn_free_desc(dp); + m_freem(m); + return (ENOBUFS); + } MCLGET(m, M_WAIT); + if ((m->m_flags & M_EXT) == 0) { + mn_free_desc(dp); + m_freem(m); + return (ENOBUFS); + } dp->m = m; dp->data = vtophys(m->m_data); dp->flags = 0x00000000; @@ -1063,12 +1086,13 @@ mn_rx_intr(struct softc *sc, u_int32_t vector) MGETHDR(m, M_DONTWAIT, MT_DATA); if (m == NULL) { mn_free_desc(dp); - return; + return; /* ENOBUFS */ } MCLGET(m, M_DONTWAIT); if((m->m_flags & M_EXT) == 0) { mn_free_desc(dp); - return; + m_freem(m); + return; /* ENOBUFS */ } } dp->m = m; |