diff options
| author | Mark Kettenis <kettenis@cvs.openbsd.org> | 2018-12-22 14:42:30 +0000 |
|---|---|---|
| committer | Mark Kettenis <kettenis@cvs.openbsd.org> | 2018-12-22 14:42:30 +0000 |
| commit | aa4d83a3b71a254224304b3680c77da74efd7115 (patch) | |
| tree | f6ac3a907e6dc026ad7fe2280ee08a75f5a88aa0 /sys | |
| parent | e1d86d0d2b376fc4eca78c2e0688b8e32d83025e (diff) | |
Avoid using m_trailingspace(9) on an mbuf allocated with MGET(9) as it relies
on header fields that aren't initialized, which may trigger an assertion.
Check whether the control message doesn't exceed MLEN instead and turn the
check into a KASSERT as the driver should not generate control messages
that are larger.
with help form claudio@ (who points out that the driver should not use
MT_CONTROL here).
ok patrick@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/sdmmc/if_bwfm_sdio.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/dev/sdmmc/if_bwfm_sdio.c b/sys/dev/sdmmc/if_bwfm_sdio.c index f28c78f5b20..cd3c93bd55c 100644 --- a/sys/dev/sdmmc/if_bwfm_sdio.c +++ b/sys/dev/sdmmc/if_bwfm_sdio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bwfm_sdio.c,v 1.26 2018/11/09 14:14:31 claudio Exp $ */ +/* $OpenBSD: if_bwfm_sdio.c,v 1.27 2018/12/22 14:42:29 kettenis Exp $ */ /* * Copyright (c) 2010-2016 Broadcom Corporation * Copyright (c) 2016,2017 Patrick Wildt <patrick@blueri.se> @@ -1451,8 +1451,10 @@ bwfm_sdio_txctl(struct bwfm_softc *bwfm, void *arg) struct bwfm_proto_bcdc_ctl *ctl = arg; struct mbuf *m; + KASSERT(ctl->len <= MLEN); + MGET(m, M_DONTWAIT, MT_CONTROL); - if (m == NULL || m_trailingspace(m) < ctl->len) { + if (m == NULL) { free(ctl->buf, M_TEMP, ctl->len); free(ctl, M_TEMP, sizeof(*ctl)); return 1; |