diff options
| author | Damien Bergamini <damien@cvs.openbsd.org> | 2005-06-20 18:25:15 +0000 |
|---|---|---|
| committer | Damien Bergamini <damien@cvs.openbsd.org> | 2005-06-20 18:25:15 +0000 |
| commit | 3ff97ca87844dda769341c3f5f67e36d6a0c8531 (patch) | |
| tree | 36e68be50433ab9205a1c468e6d321c15ed61e78 /sys | |
| parent | ca383e2442f0350107e9e3f31701f3991bd682a5 (diff) | |
fix a couple of 'use after free' bugs on mbuf chains in the tx path.
originally pointed out by Mike Silbersack on the fbsd version of the iwi
driver.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/ic/ral.c | 8 | ||||
| -rw-r--r-- | sys/dev/pci/if_iwi.c | 13 |
2 files changed, 12 insertions, 9 deletions
diff --git a/sys/dev/ic/ral.c b/sys/dev/ic/ral.c index a68e5895a9d..6625582f7d4 100644 --- a/sys/dev/ic/ral.c +++ b/sys/dev/ic/ral.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ral.c,v 1.54 2005/06/08 23:49:56 naddy Exp $ */ +/* $OpenBSD: ral.c,v 1.55 2005/06/20 18:25:10 damien Exp $ */ /*- * Copyright (c) 2005 @@ -1803,6 +1803,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) m0 = ieee80211_wep_crypt(ifp, m0, 1); if (m0 == NULL) return ENOBUFS; + + /* packet header may have moved, reset our local pointer */ + wh = mtod(m0, struct ieee80211_frame *); } /* @@ -1910,6 +1913,9 @@ ral_tx_data(struct ral_softc *sc, struct mbuf *m0, struct ieee80211_node *ni) m_freem(m0); return error; } + + /* packet header have moved, reset our local pointer */ + wh = mtod(m0, struct ieee80211_frame *); } #if NBPFILTER > 0 diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c index f23cf4b79d5..15d867cc3f5 100644 --- a/sys/dev/pci/if_iwi.c +++ b/sys/dev/pci/if_iwi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwi.c,v 1.44 2005/05/22 16:30:30 damien Exp $ */ +/* $OpenBSD: if_iwi.c,v 1.45 2005/06/20 18:25:14 damien Exp $ */ /*- * Copyright (c) 2004, 2005 @@ -1078,7 +1078,6 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) { struct iwi_softc *sc = ifp->if_softc; struct ieee80211com *ic = &sc->sc_ic; - struct ieee80211_frame *wh; struct iwi_tx_buf *buf; struct iwi_tx_desc *desc; struct mbuf *mnew; @@ -1105,9 +1104,8 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) buf = &sc->tx_buf[sc->tx_cur]; desc = &sc->tx_desc[sc->tx_cur]; - wh = mtod(m0, struct ieee80211_frame *); - - /* trim IEEE802.11 header */ + /* save and trim IEEE802.11 header */ + m_copydata(m0, 0, sizeof (struct ieee80211_frame), (caddr_t)&desc->wh); m_adj(m0, sizeof (struct ieee80211_frame)); error = bus_dmamap_load_mbuf(sc->sc_dmat, buf->map, m0, BUS_DMA_NOWAIT); @@ -1158,11 +1156,11 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) desc->len = htole16(m0->m_pkthdr.len); desc->flags = 0; - if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) + if (!IEEE80211_IS_MULTICAST(desc->wh.i_addr1)) desc->flags |= IWI_DATA_FLAG_NEED_ACK; if (ic->ic_flags & IEEE80211_F_WEPON) { - wh->i_fc[1] |= IEEE80211_FC1_WEP; + desc->wh.i_fc[1] |= IEEE80211_FC1_WEP; desc->wep_txkey = ic->ic_wep_txkey; } else desc->flags |= IWI_DATA_FLAG_NO_WEP; @@ -1170,7 +1168,6 @@ iwi_tx_start(struct ifnet *ifp, struct mbuf *m0, struct ieee80211_node *ni) if (ic->ic_flags & IEEE80211_F_SHPREAMBLE) desc->flags |= IWI_DATA_FLAG_SHPREAMBLE; - bcopy(wh, &desc->wh, sizeof (struct ieee80211_frame)); desc->nseg = htole32(buf->map->dm_nsegs); for (i = 0; i < buf->map->dm_nsegs; i++) { desc->seg_addr[i] = htole32(buf->map->dm_segs[i].ds_addr); |