From owner-cvs-src-old@FreeBSD.ORG  Fri Nov  5 19:50:22 2010
Return-Path: <owner-cvs-src-old@FreeBSD.ORG>
Delivered-To: cvs-src-old@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 65CFA106566B
	for <cvs-src-old@freebsd.org>; Fri,  5 Nov 2010 19:50:22 +0000 (UTC)
	(envelope-from jkim@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 530F68FC1C
	for <cvs-src-old@freebsd.org>; Fri,  5 Nov 2010 19:50:22 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id oA5JoMB1000725
	for <cvs-src-old@freebsd.org>; Fri, 5 Nov 2010 19:50:22 GMT
	(envelope-from jkim@repoman.freebsd.org)
Received: (from svn2cvs@localhost)
	by repoman.freebsd.org (8.14.4/8.14.4/Submit) id oA5JoML2000724
	for cvs-src-old@freebsd.org; Fri, 5 Nov 2010 19:50:22 GMT
	(envelope-from jkim@repoman.freebsd.org)
Message-Id: <201011051950.oA5JoML2000724@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to
	jkim@repoman.freebsd.org using -f
From: Jung-uk Kim <jkim@FreeBSD.org>
Date: Fri, 5 Nov 2010 19:50:09 +0000 (UTC)
To: cvs-src-old@freebsd.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/dev/acpica acpi_pci_link.c
X-BeenThere: cvs-src-old@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the src tree
	<cvs-src-old.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src-old>
List-Post: <mailto:cvs-src-old@freebsd.org>
List-Help: <mailto:cvs-src-old-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2010 19:50:22 -0000

jkim        2010-11-05 19:50:09 UTC

  FreeBSD src repository

  Modified files:
    sys/dev/acpica       acpi_pci_link.c 
  Log:
  SVN rev 214848 on 2010-11-05 19:50:09Z by jkim
  
  Fix a use-after-free bug for extended IRQ resource[1].  When _PRS buffer is
  copied as a template for _SRS, a string pointer for descriptor name is also
  copied and it becomes stale as soon as it gets de-allocated[2].  Now _CRS is
  used as a template for _SRS as ACPI specification suggests if it is usable.
  The template from _PRS is still utilized but only when _CRS is not available
  or broken.  To avoid use-after-free the problem in this case, however, only
  mandatory fields are copied, optional data is removed, and structure length
  is adjusted accordingly.
  
  Reported by:    hps[1]
  Analyzed by:    avg[2]
  Tested by:      hps
  
  Revision  Changes    Path
  1.60      +34 -44    src/sys/dev/acpica/acpi_pci_link.c