misc/78431: bt3c device driver sends too many bytes

[Iain Hibbert]

>Number:         78431
>Category:       misc
>Synopsis:       bt3c device driver sends too many bytes
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 04 23:30:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Iain Hibbert
>Release:        NetBSD 2.0 :)
>Organization:
NetBSD
>Environment:
latest source on CVS server
>Description:
I am writing a device driver on NetBSD for the bt3c device and using your source as a reference.

In the file src/sys/netgraph/bluetooth/drivers/bt3c/ng_bt3c_pccard.c that is to say the bt3c device driver, in function bt3c_send(), on line 1100. there is a loop like thus:

len = min((BT3C_FIFO_SIZE - wrote), m->m_len)

for(i = 0; i < m->m_len ; i++)
        bt3c_write_data(sc, m->m_data[i]);

to send data from the mbuf to the bt3c device. If you look at the control loop, it should not be using m->m_len there because it might be bigger than the space left in the fifo.  The line before works out the correct number of bytes to write, so the loop should use that figure, as in:

for (i = 0 ; i < len ; i++)
        bt3c_write_data(sc, ...)



>How-To-Repeat:
      I'm not sure that it is a problem, since I am not running FreeBSD, the code as - is will just put too many bytes in the FIFO but since it was full then maybe nothing would happen in any case, who can tell..
>Fix:
      see above.
>Release-Note:
>Audit-Trail:
>Unformatted: