diff options
author | imp <imp@FreeBSD.org> | 2003-08-18 03:07:09 +0000 |
---|---|---|
committer | imp <imp@FreeBSD.org> | 2003-08-18 03:07:09 +0000 |
commit | 4c787d57b889e3cc226488f4294a6eba3b895383 (patch) | |
tree | 412b3751d577a2328beb5b0f5957388b859b4718 /sys | |
parent | 8d4e01126d6842265cac0ee816e747bf44148e77 (diff) | |
download | FreeBSD-src-4c787d57b889e3cc226488f4294a6eba3b895383.zip FreeBSD-src-4c787d57b889e3cc226488f4294a6eba3b895383.tar.gz |
Put a band-aide(tm) on the CIS panic problem. This is a similar fix
to what is in NetBSD. I have a few cards that tickles this bug, and
this just keeps us from panicing. It doesn't actually fix the problem
(that will happen once I figure out why some cards hate the address
their CIS is mapped to high memory).
Diffstat (limited to 'sys')
-rw-r--r-- | sys/dev/pccard/pccard_cis.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/sys/dev/pccard/pccard_cis.c b/sys/dev/pccard/pccard_cis.c index 4bc8e97..e1b498b 100644 --- a/sys/dev/pccard/pccard_cis.c +++ b/sys/dev/pccard/pccard_cis.c @@ -135,7 +135,8 @@ pccard_scan_cis(device_t dev, int (*fct)(struct pccard_tuple *, void *), tuple.memh = rman_get_bushandle(res); tuple.ptr = 0; - DPRINTF(("cis mem map %x\n", (unsigned int) tuple.memh)); + DPRINTF(("cis mem map 0x%x (resource: 0x%lx)\n", + (unsigned int) tuple.memh, rman_get_start(res))); tuple.mult = 2; @@ -150,9 +151,20 @@ pccard_scan_cis(device_t dev, int (*fct)(struct pccard_tuple *, void *), while (1) { while (1) { - /* get the tuple code */ - - tuple.code = pccard_cis_read_1(&tuple, tuple.ptr); + /* + * Perform boundary check for insane cards. + * If CIS is too long, simulate CIS end. + * (This check may not be sufficient for + * malicious cards.) + */ + if (tuple.mult * tuple.ptr >= PCCARD_CIS_SIZE - 1 + - 32 /* ad hoc value */ ) { + printf("CIS is too long -- truncating\n"); + tuple.code = PCCARD_CISTPL_END; + } else { + /* get the tuple code */ + tuple.code = pccard_cis_read_1(&tuple, tuple.ptr); + } /* two special-case tuples */ @@ -361,7 +373,6 @@ pccard_scan_cis(device_t dev, int (*fct)(struct pccard_tuple *, void *), * In general, this means that if one pointer fails, it will * try the next one, instead of just bailing. */ - while (1) { if (longlink_present) { CARD_SET_RES_FLAGS(device_get_parent(dev), dev, |