From e6740735fe53f885df9630439b6c74ee2234fd74 Mon Sep 17 00:00:00 2001
From: yongari <yongari@FreeBSD.org>
Date: Sat, 13 Oct 2007 00:24:09 +0000
Subject: Fix a NULL pointer dereference in Tx checksum calculation.

Pointed out by: marius
---
 sys/dev/gem/if_gem.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/dev/gem/if_gem.c b/sys/dev/gem/if_gem.c
index cb37ef6..ced67ee 100644
--- a/sys/dev/gem/if_gem.c
+++ b/sys/dev/gem/if_gem.c
@@ -471,10 +471,12 @@ gem_resume(sc)
 static __inline void
 gem_txcksum(struct gem_softc *sc, struct mbuf *m, uint64_t *cflags)
 {
+	struct mbuf *m0;
 	struct ip *ip;
 	uint64_t offset, offset2;
 	char *p;
 
+	m0 = m;
 	offset = sizeof(struct ip) + ETHER_HDR_LEN;
 	for(; m && m->m_len == 0; m = m->m_next)
 		;
@@ -482,6 +484,7 @@ gem_txcksum(struct gem_softc *sc, struct mbuf *m, uint64_t *cflags)
 		device_printf(sc->sc_dev, "%s: m_len < ETHER_HDR_LEN\n",
 		    __func__);
 		/* checksum will be corrupted */
+		m = m0;
 		goto sendit;
 	}
 	if (m->m_len < ETHER_HDR_LEN + sizeof(uint32_t)) {
@@ -489,12 +492,14 @@ gem_txcksum(struct gem_softc *sc, struct mbuf *m, uint64_t *cflags)
 			device_printf(sc->sc_dev,
 			    "%s: m_len != ETHER_HDR_LEN\n", __func__);
 			/* checksum will be corrupted */
+			m = m0;
 			goto sendit;
 		}
 		for(m = m->m_next; m && m->m_len == 0; m = m->m_next)
 			;
 		if (m == NULL) {
 			/* checksum will be corrupted */
+			m = m0;
 			goto sendit;
 		}
 		ip = mtod(m, struct ip *);
-- 
cgit v1.1