summaryrefslogtreecommitdiff
path: root/sys/dev/ic/ral.c
diff options
context:
space:
mode:
authorDamien Bergamini <damien@cvs.openbsd.org>2005-06-20 18:25:15 +0000
committerDamien Bergamini <damien@cvs.openbsd.org>2005-06-20 18:25:15 +0000
commit3ff97ca87844dda769341c3f5f67e36d6a0c8531 (patch)
tree36e68be50433ab9205a1c468e6d321c15ed61e78 /sys/dev/ic/ral.c
parentca383e2442f0350107e9e3f31701f3991bd682a5 (diff)
fix a couple of 'use after free' bugs on mbuf chains in the tx path.
originally pointed out by Mike Silbersack on the fbsd version of the iwi driver.
Diffstat (limited to 'sys/dev/ic/ral.c')
-rw-r--r--sys/dev/ic/ral.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/dev/ic/ral.c b/sys/dev/ic/ral.c
index a68e5895a9d..6625582f7d4 100644
--- a/sys/dev/ic/ral.c
+++ b/sys/dev/ic/ral.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ral.c,v 1.54 2005/06/08 23:49:56 naddy Exp $ */
+/* $OpenBSD: ral.c,v 1.55 2005/06/20 18:25:10 damien Exp $ */
/*-
* Copyright (c) 2005
@@ -1803,6 +1803,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni)
m0 = ieee80211_wep_crypt(ifp, m0, 1);
if (m0 == NULL)
return ENOBUFS;
+
+ /* packet header may have moved, reset our local pointer */
+ wh = mtod(m0, struct ieee80211_frame *);
}
/*
@@ -1910,6 +1913,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni)
m_freem(m0);
return error;
}
+
+ /* packet header have moved, reset our local pointer */
+ wh = mtod(m0, struct ieee80211_frame *);
}
#if NBPFILTER > 0