Module Name: src
Committed By: skrll
Date: Sat Jul 5 09:30:08 UTC 2014
Modified Files:
src/sys/dev/usb: if_urndis.c
Log Message:
PR/48963: kmem_free size mismatch causes panic when attaching urndis(4).
Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/dev/usb/if_urndis.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/if_urndis.c
diff -u src/sys/dev/usb/if_urndis.c:1.6 src/sys/dev/usb/if_urndis.c:1.7
--- src/sys/dev/usb/if_urndis.c:1.6 Thu Oct 17 21:07:37 2013
+++ src/sys/dev/usb/if_urndis.c Sat Jul 5 09:30:08 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if_urndis.c,v 1.6 2013/10/17 21:07:37 christos Exp $ */
+/* $NetBSD: if_urndis.c,v 1.7 2014/07/05 09:30:08 skrll Exp $ */
/* $OpenBSD: if_urndis.c,v 1.31 2011/07/03 15:47:17 matthew Exp $ */
/*
@@ -21,7 +21,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_urndis.c,v 1.6 2013/10/17 21:07:37 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_urndis.c,v 1.7 2014/07/05 09:30:08 skrll Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -513,7 +513,7 @@ urndis_ctrl_query(struct urndis_softc *s
le32toh(msg->rm_devicevchdl)));
rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
- kmem_free(msg, sizeof(*msg));
+ kmem_free(msg, sizeof(*msg) + qlen);
if (rval != RNDIS_STATUS_SUCCESS) {
printf("%s: query failed\n", DEVNAME(sc));
@@ -566,7 +566,7 @@ urndis_ctrl_set(struct urndis_softc *sc,
le32toh(msg->rm_devicevchdl)));
rval = urndis_ctrl_send(sc, msg, sizeof(*msg));
- kmem_free(msg, sizeof(*msg));
+ kmem_free(msg, sizeof(*msg) + len);
if (rval != RNDIS_STATUS_SUCCESS) {
printf("%s: set failed\n", DEVNAME(sc));
