sgmap loading didnt respect the dmamaps max number of segments.

this let it wanter off writing segment descriptors off in memory
it didnt own, which led to some pretty awesome memory corruption.

if you had a network card with a small number of tx descriptors per
packet, a lot of memory, and a heavily fragmented packet (ie, ssh)
you were basically guaranteed a confusing panic.

ok miod@

1 files changed, 4 insertions, 1 deletions

diff --git a/sys/arch/alpha/dev/sgmap_typedep.c b/sys/arch/alpha/dev/sgmap_typedep.c
index 6aef4ec9842..cb8ef29f7da 100644
--- a/sys/arch/alpha/dev/sgmap_typedep.c
+++ b/sys/arch/alpha/dev/sgmap_typedep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sgmap_typedep.c,v 1.13 2014/03/31 21:10:10 kettenis Exp $ */
+/* $OpenBSD: sgmap_typedep.c,v 1.14 2014/07/11 12:55:32 dlg Exp $ */
 /* $NetBSD: sgmap_typedep.c,v 1.17 2001/07/19 04:27:37 thorpej Exp $ */
 
 /*-
@@ -64,6 +64,9 @@ __C(SGMAP_TYPE,_load_buffer)(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
 	SGMAP_PTE_TYPE *pte, *page_table = sgmap->aps_pt;
 	int pteidx, error, spill;
 
+	if (seg >= map->_dm_segcnt)
+		return (EFBIG);
+
 	/* Initialize the spill page PTE if it hasn't been already. */
 	if (__C(SGMAP_TYPE,_prefetch_spill_page_pte) == 0)
 		__C(SGMAP_TYPE,_init_spill_page_pte)();