On Mon, Jan 30, 2017 at 03:28:21PM +0100, Jeremie Courreges-Anglas wrote:
>
> If fw_loadpage fails, the size passed to free(9) is bogus. Always pass
> the size returned by load_firmware instead. I hit this a few days ago,
> ok?
ok stsp@
> Index: rtwn.c
> ===
> RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v
> retrieving revision 1.12
> diff -u -p -p -u -r1.12 rtwn.c
> --- rtwn.c26 Jan 2017 10:57:37 - 1.12
> +++ rtwn.c30 Jan 2017 12:08:56 -
> @@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc
> {
> const struct r92c_fw_hdr *hdr;
> u_char *fw, *ptr;
> - size_t len;
> + size_t len0, len;
> uint32_t reg;
> int mlen, ntries, page, error;
>
> /* Read firmware image from the filesystem. */
> - error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len);
> + error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0);
> if (error)
> return (error);
> + len = len0;
> if (len < sizeof(*hdr)) {
> printf("%s: firmware too short\n", sc->sc_pdev->dv_xname);
> error = EINVAL;
> @@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc
> goto fail;
> }
> fail:
> - free(fw, M_DEVBUF, len);
> + free(fw, M_DEVBUF, len0);
> return (error);
> }
>
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>
