Date: Tue, 17 Feb 1998 03:10:43 -0800 From: Mike Smith <mike@smith.net.au> To: Eivind Eklund <eivind@yes.no> Cc: hackers@FreeBSD.ORG Subject: Re: ed overwrite clue? Message-ID: <199802171110.DAA01377@dingo.cdrom.com> In-Reply-To: Your message of "Tue, 17 Feb 1998 11:46:23 %2B0100." <19980217114623.18048@follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> This might be a clue for the strange ED overwrites (or it might be > something completely unrelated :-) It looks kinda interesting, at any rate: > I'm getting panic()s from if_ed.c overwriting strange locations from > > > /* get pointer to this buffer's header structure */ > packet_ptr = sc->mem_ring + > (sc->next_packet - sc->rec_page_start) * ED_PAGE_SIZE; > > /* > * The byte count includes a 4 byte header that was added by > * the NIC. > */ > if (sc->mem_shared) > packet_hdr = *(struct ed_ring *) packet_ptr; > else > HERE--> ed_pio_readmem(sc, (int)packet_ptr, (char *) &packet_hdr, > sizeof(packet_hdr)); Weird. The destination should be on the stack - are you comfortable that you haven't overrun the end of the stack? > #4 0xf01b34ae in ed_pio_readmem (sc=0xf01ed400, src=25088, > dst=0xefbfffc0 "'", amount=4) at machine/cpufunc.h:185 In my copy of cpufunc.h, line 185 is insb(). Is this an 8-bit card? (Don't let my questions distract you, I'm just curious...) -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802171110.DAA01377>