Re: rtwn: correct free size

2017-01-30 Thread Stefan Sperling
On Mon, Jan 30, 2017 at 03:28:21PM +0100, Jeremie Courreges-Anglas wrote:
> 
> If fw_loadpage fails, the size passed to free(9) is bogus.  Always pass
> the size returned by load_firmware instead.  I hit this a few days ago,
> ok?

ok stsp@
 
> Index: rtwn.c
> ===
> RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v
> retrieving revision 1.12
> diff -u -p -p -u -r1.12 rtwn.c
> --- rtwn.c26 Jan 2017 10:57:37 -  1.12
> +++ rtwn.c30 Jan 2017 12:08:56 -
> @@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc
>  {
>   const struct r92c_fw_hdr *hdr;
>   u_char *fw, *ptr;
> - size_t len;
> + size_t len0, len;
>   uint32_t reg;
>   int mlen, ntries, page, error;
>  
>   /* Read firmware image from the filesystem. */
> - error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len);
> + error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0);
>   if (error)
>   return (error);
> + len = len0;
>   if (len < sizeof(*hdr)) {
>   printf("%s: firmware too short\n", sc->sc_pdev->dv_xname);
>   error = EINVAL;
> @@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc
>   goto fail;
>   }
>   fail:
> - free(fw, M_DEVBUF, len);
> + free(fw, M_DEVBUF, len0);
>   return (error);
>  }
>  
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
> 



rtwn: correct free size

2017-01-30 Thread Jeremie Courreges-Anglas

If fw_loadpage fails, the size passed to free(9) is bogus.  Always pass
the size returned by load_firmware instead.  I hit this a few days ago,
ok?


Index: rtwn.c
===
RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v
retrieving revision 1.12
diff -u -p -p -u -r1.12 rtwn.c
--- rtwn.c  26 Jan 2017 10:57:37 -  1.12
+++ rtwn.c  30 Jan 2017 12:08:56 -
@@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc
 {
const struct r92c_fw_hdr *hdr;
u_char *fw, *ptr;
-   size_t len;
+   size_t len0, len;
uint32_t reg;
int mlen, ntries, page, error;
 
/* Read firmware image from the filesystem. */
-   error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len);
+   error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0);
if (error)
return (error);
+   len = len0;
if (len < sizeof(*hdr)) {
printf("%s: firmware too short\n", sc->sc_pdev->dv_xname);
error = EINVAL;
@@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc
goto fail;
}
  fail:
-   free(fw, M_DEVBUF, len);
+   free(fw, M_DEVBUF, len0);
return (error);
 }
 

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE