From owner-svn-src-all@FreeBSD.ORG Mon Dec 5 18:10:43 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76BDD1065675; Mon, 5 Dec 2011 18:10:43 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 6721C8FC0C; Mon, 5 Dec 2011 18:10:43 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pB5IAh0e051864; Mon, 5 Dec 2011 18:10:43 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pB5IAhgg051862; Mon, 5 Dec 2011 18:10:43 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201112051810.pB5IAhgg051862@svn.freebsd.org> From: Pyun YongHyeon Date: Mon, 5 Dec 2011 18:10:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r228286 - head/sys/dev/ed X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 18:10:43 -0000 Author: yongari Date: Mon Dec 5 18:10:43 2011 New Revision: 228286 URL: http://svn.freebsd.org/changeset/base/228286 Log: Fix off by one error in mbuf access. Previously it caused panic. While I'm here use NULL to compare mbuf pointer and add additional check for zero length mbuf before accessing the mbuf. PR: kern/162932 Modified: head/sys/dev/ed/if_ed.c Modified: head/sys/dev/ed/if_ed.c ============================================================================== --- head/sys/dev/ed/if_ed.c Mon Dec 5 17:44:12 2011 (r228285) +++ head/sys/dev/ed/if_ed.c Mon Dec 5 18:10:43 2011 (r228286) @@ -1709,12 +1709,19 @@ ed_shmem_write_mbufs(struct ed_softc *sc break; } } - for (len = 0; m != 0; m = m->m_next) { - if (sc->isa16bit) - bus_space_write_region_2(sc->mem_bst, - sc->mem_bsh, dst, - mtod(m, uint16_t *), (m->m_len + 1)/ 2); - else + for (len = 0; m != NULL; m = m->m_next) { + if (m->m_len == 0) + continue; + if (sc->isa16bit) { + if (m->m_len > 1) + bus_space_write_region_2(sc->mem_bst, + sc->mem_bsh, dst, + mtod(m, uint16_t *), m->m_len / 2); + if ((m->m_len & 1) != 0) + bus_space_write_1(sc->mem_bst, sc->mem_bsh, + dst + m->m_len - 1, + *(mtod(m, uint8_t *) + m->m_len - 1)); + } else bus_space_write_region_1(sc->mem_bst, sc->mem_bsh, dst, mtod(m, uint8_t *), m->m_len);