diff options
| author | Damien Bergamini <damien@cvs.openbsd.org> | 2005-06-20 18:25:15 +0000 |
|---|---|---|
| committer | Damien Bergamini <damien@cvs.openbsd.org> | 2005-06-20 18:25:15 +0000 |
| commit | 3ff97ca87844dda769341c3f5f67e36d6a0c8531 (patch) | |
| tree | 36e68be50433ab9205a1c468e6d321c15ed61e78 | |
| parent | ca383e2442f0350107e9e3f31701f3991bd682a5 (diff) | |
fix a couple of 'use after free' bugs on mbuf chains in the tx path.
originally pointed out by Mike Silbersack on the fbsd version of the iwi
driver.
| -rw-r--r-- | sys/dev/ic/ral.c | 8 | ||||
| -rw-r--r-- | sys/dev/pci/if_iwi.c | 13 |
2 files changed, 12 insertions, 9 deletions
diff --git a/sys/dev/ic/ral.c b/sys/dev/ic/ral.c index a68e5895a9d..6625582f7d4 100644 --- a/sys/dev/ic/ral.c +++ b/sys/dev/ic/ral.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ral.c,v 1.54 2005/06/08 23:49:56 naddy Exp $ */ +/* $OpenBSD: ral.c,v 1.55 2005/06/20 18:25:10 damien Exp $ */ /*- * Copyright (c) 2005 @@ -1803,6 +1803,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) m0 = ieee80211_wep_crypt(ifp, m0, 1); if (m0 == NULL) return ENOBUFS; + + /* packet header may have moved, reset our local pointer */ + wh = mtod(m0, struct ieee80211_frame *); } /* @@ -1910,6 +1913,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) m_freem(m0); return error; } + + /* packet header have moved, reset our local pointer */ + wh = mtod(m0, struct ieee80211_frame *); } #if NBPFILTER > 0 diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c index f23cf4b79d5..15d867cc3f5 100644 --- a/sys/dev/pci/if_iwi.c +++ b/sys/dev/pci/if_iwi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwi.c,v 1.44 2005/05/22 16:30:30 damien Exp $ */ +/* $OpenBSD: if_iwi.c,v 1.45 2005/06/20 18:25:14 damien Exp $ */ /*- * Copyright (c) 2004, 2005 @@ -1078,7 +1078,6 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) { struct iwi_softc *sc = ifp->if_softc; struct ieee80211com *ic = &sc->sc_ic; - struct ieee80211_frame *wh; struct iwi_tx_buf *buf; struct iwi_tx_desc *desc; struct mbuf *mnew; @@ -1105,9 +1104,8 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) buf = &sc->tx_buf[sc->tx_cur]; desc = &sc->tx_desc[sc->tx_cur]; - wh = mtod(m0, struct ieee80211_frame *); - - /* trim IEEE802.11 header */ + /* save and trim IEEE802.11 header */ + m_copydata(m0, 0, sizeof (struct ieee80211_frame), (caddr_t)&desc->wh); m_adj(m0, sizeof (struct ieee80211_frame)); error = bus_dmamap_load_mbuf(sc->sc_dmat, buf->map, m0, BUS_DMA_NOWAIT); @@ -1158,11 +1156,11 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) desc->len = htole16(m0->m_pkthdr.len); desc->flags = 0; - if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) + if (!IEEE80211_IS_MULTICAST(desc->wh.i_addr1)) desc->flags |= IWI_DATA_FLAG_NEED_ACK; if (ic->ic_flags & IEEE80211_F_WEPON) { - wh->i_fc[1] |= IEEE80211_FC1_WEP; + desc->wh.i_fc[1] |= IEEE80211_FC1_WEP; desc->wep_txkey = ic->ic_wep_txkey; } else desc->flags |= IWI_DATA_FLAG_NO_WEP; @@ -1170,7 +1168,6 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) if (ic->ic_flags & IEEE80211_F_SHPREAMBLE) desc->flags |= IWI_DATA_FLAG_SHPREAMBLE; - bcopy(wh, &desc->wh, sizeof (struct ieee80211_frame)); desc->nseg = htole32(buf->map->dm_nsegs); for (i = 0; i < buf->map->dm_nsegs; i++) { desc->seg_addr[i] = htole32(buf->map->dm_segs[i].ds_addr); |