svn commit: r229648 - stable/9/sys/dev/ed

Pyun YongHyeon yongari at FreeBSD.org
Thu Jan 5 20:49:49 UTC 2012 

Author: yongari
Date: Thu Jan  5 20:49:48 2012
New Revision: 229648
URL: http://svn.freebsd.org/changeset/base/229648

Log:
  MFC r228286:
    Fix off by one error in mbuf access.  Previously it caused panic.
    While I'm here use NULL to compare mbuf pointer and add additional
    check for zero length mbuf before accessing the mbuf.
  
    PR:	kern/162932

Modified:
  stable/9/sys/dev/ed/if_ed.c
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/amd64/include/xen/   (props changed)
  stable/9/sys/boot/   (props changed)
  stable/9/sys/boot/i386/efi/   (props changed)
  stable/9/sys/boot/ia64/efi/   (props changed)
  stable/9/sys/boot/ia64/ski/   (props changed)
  stable/9/sys/boot/powerpc/boot1.chrp/   (props changed)
  stable/9/sys/boot/powerpc/ofw/   (props changed)
  stable/9/sys/cddl/contrib/opensolaris/   (props changed)
  stable/9/sys/conf/   (props changed)
  stable/9/sys/contrib/dev/acpica/   (props changed)
  stable/9/sys/contrib/octeon-sdk/   (props changed)
  stable/9/sys/contrib/pf/   (props changed)
  stable/9/sys/contrib/x86emu/   (props changed)

Modified: stable/9/sys/dev/ed/if_ed.c
==============================================================================
--- stable/9/sys/dev/ed/if_ed.c	Thu Jan  5 20:41:40 2012	(r229647)
+++ stable/9/sys/dev/ed/if_ed.c	Thu Jan  5 20:49:48 2012	(r229648)
@@ -1709,12 +1709,19 @@ ed_shmem_write_mbufs(struct ed_softc *sc
 			break;
 		}
 	}
-	for (len = 0; m != 0; m = m->m_next) {
-		if (sc->isa16bit)
-			bus_space_write_region_2(sc->mem_bst,
-			    sc->mem_bsh, dst,
-			    mtod(m, uint16_t *), (m->m_len + 1)/ 2);
-		else
+	for (len = 0; m != NULL; m = m->m_next) {
+		if (m->m_len == 0)
+			continue;
+		if (sc->isa16bit) {
+			if (m->m_len > 1)
+				bus_space_write_region_2(sc->mem_bst,
+				    sc->mem_bsh, dst,
+				    mtod(m, uint16_t *), m->m_len / 2);
+			if ((m->m_len & 1) != 0)
+				bus_space_write_1(sc->mem_bst, sc->mem_bsh,
+				    dst + m->m_len - 1,
+				    *(mtod(m, uint8_t *) + m->m_len - 1));
+		} else
 			bus_space_write_region_1(sc->mem_bst,
 			    sc->mem_bsh, dst,
 			    mtod(m, uint8_t *), m->m_len);

More information about the svn-src-stable-9 mailing list