From aa4d83a3b71a254224304b3680c77da74efd7115 Mon Sep 17 00:00:00 2001 From: Mark Kettenis Date: Sat, 22 Dec 2018 14:42:30 +0000 Subject: Avoid using m_trailingspace(9) on an mbuf allocated with MGET(9) as it relies on header fields that aren't initialized, which may trigger an assertion. Check whether the control message doesn't exceed MLEN instead and turn the check into a KASSERT as the driver should not generate control messages that are larger. with help form claudio@ (who points out that the driver should not use MT_CONTROL here). ok patrick@ --- sys/dev/sdmmc/if_bwfm_sdio.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'sys/dev/sdmmc') diff --git a/sys/dev/sdmmc/if_bwfm_sdio.c b/sys/dev/sdmmc/if_bwfm_sdio.c index f28c78f5b20..cd3c93bd55c 100644 --- a/sys/dev/sdmmc/if_bwfm_sdio.c +++ b/sys/dev/sdmmc/if_bwfm_sdio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bwfm_sdio.c,v 1.26 2018/11/09 14:14:31 claudio Exp $ */ +/* $OpenBSD: if_bwfm_sdio.c,v 1.27 2018/12/22 14:42:29 kettenis Exp $ */ /* * Copyright (c) 2010-2016 Broadcom Corporation * Copyright (c) 2016,2017 Patrick Wildt @@ -1451,8 +1451,10 @@ bwfm_sdio_txctl(struct bwfm_softc *bwfm, void *arg) struct bwfm_proto_bcdc_ctl *ctl = arg; struct mbuf *m; + KASSERT(ctl->len <= MLEN); + MGET(m, M_DONTWAIT, MT_CONTROL); - if (m == NULL || m_trailingspace(m) < ctl->len) { + if (m == NULL) { free(ctl->buf, M_TEMP, ctl->len); free(ctl, M_TEMP, sizeof(*ctl)); return 1; -- cgit v1.2.3