Date: Fri, 2 Sep 2011 20:35:22 +0000 (UTC) From: Stanislav Sedov <stas@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r225354 - head/sys/dev/smc Message-ID: <201109022035.p82KZMJr015059@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: stas Date: Fri Sep 2 20:35:22 2011 New Revision: 225354 URL: http://svn.freebsd.org/changeset/base/225354 Log: - Fix NULL pointer dereference when a packet of uneven size is being transmitted. Approved by: re (kib) MFC after: 3 days Modified: head/sys/dev/smc/if_smc.c Modified: head/sys/dev/smc/if_smc.c ============================================================================== --- head/sys/dev/smc/if_smc.c Fri Sep 2 19:29:37 2011 (r225353) +++ head/sys/dev/smc/if_smc.c Fri Sep 2 20:35:22 2011 (r225354) @@ -538,6 +538,7 @@ smc_task_tx(void *context, int pending) struct smc_softc *sc; struct mbuf *m, *m0; u_int packet, len; + int last_len; uint8_t *data; (void)pending; @@ -590,16 +591,18 @@ smc_task_tx(void *context, int pending) * Push the data out to the device. */ data = NULL; + last_len = 0; for (; m != NULL; m = m->m_next) { data = mtod(m, uint8_t *); smc_write_multi_2(sc, DATA0, (uint16_t *)data, m->m_len / 2); + last_len = m->m_len; } /* * Push out the control byte and and the odd byte if needed. */ if ((len & 1) != 0 && data != NULL) - smc_write_2(sc, DATA0, (CTRL_ODD << 8) | data[m->m_len - 1]); + smc_write_2(sc, DATA0, (CTRL_ODD << 8) | data[last_len - 1]); else smc_write_2(sc, DATA0, 0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109022035.p82KZMJr015059>