diff options
author | yongari <yongari@FreeBSD.org> | 2011-12-05 18:10:43 +0000 |
---|---|---|
committer | yongari <yongari@FreeBSD.org> | 2011-12-05 18:10:43 +0000 |
commit | f47c7431dec003c1c26fce8811c39d1b1db72967 (patch) | |
tree | bab26854516bf71590ccefd7d0bc5ca8cb44152c /sys | |
parent | 7a41e563a7bad30403d1215e7ca77e39cc5bba64 (diff) | |
download | FreeBSD-src-f47c7431dec003c1c26fce8811c39d1b1db72967.zip FreeBSD-src-f47c7431dec003c1c26fce8811c39d1b1db72967.tar.gz |
Fix off by one error in mbuf access. Previously it caused panic.
While I'm here use NULL to compare mbuf pointer and add additional
check for zero length mbuf before accessing the mbuf.
PR: kern/162932
Diffstat (limited to 'sys')
-rw-r--r-- | sys/dev/ed/if_ed.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/sys/dev/ed/if_ed.c b/sys/dev/ed/if_ed.c index b0e1c0c..80446a6 100644 --- a/sys/dev/ed/if_ed.c +++ b/sys/dev/ed/if_ed.c @@ -1709,12 +1709,19 @@ ed_shmem_write_mbufs(struct ed_softc *sc, struct mbuf *m, bus_size_t dst) break; } } - for (len = 0; m != 0; m = m->m_next) { - if (sc->isa16bit) - bus_space_write_region_2(sc->mem_bst, - sc->mem_bsh, dst, - mtod(m, uint16_t *), (m->m_len + 1)/ 2); - else + for (len = 0; m != NULL; m = m->m_next) { + if (m->m_len == 0) + continue; + if (sc->isa16bit) { + if (m->m_len > 1) + bus_space_write_region_2(sc->mem_bst, + sc->mem_bsh, dst, + mtod(m, uint16_t *), m->m_len / 2); + if ((m->m_len & 1) != 0) + bus_space_write_1(sc->mem_bst, sc->mem_bsh, + dst + m->m_len - 1, + *(mtod(m, uint8_t *) + m->m_len - 1)); + } else bus_space_write_region_1(sc->mem_bst, sc->mem_bsh, dst, mtod(m, uint8_t *), m->m_len); |