Module Name: src Committed By: skrll Date: Sat Jul 5 09:30:08 UTC 2014
Modified Files: src/sys/dev/usb: if_urndis.c Log Message: PR/48963: kmem_free size mismatch causes panic when attaching urndis(4). Fix the size passed in kmem_free in the urndis_ctrl_{query,set} functions To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/dev/usb/if_urndis.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/usb/if_urndis.c diff -u src/sys/dev/usb/if_urndis.c:1.6 src/sys/dev/usb/if_urndis.c:1.7 --- src/sys/dev/usb/if_urndis.c:1.6 Thu Oct 17 21:07:37 2013 +++ src/sys/dev/usb/if_urndis.c Sat Jul 5 09:30:08 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: if_urndis.c,v 1.6 2013/10/17 21:07:37 christos Exp $ */ +/* $NetBSD: if_urndis.c,v 1.7 2014/07/05 09:30:08 skrll Exp $ */ /* $OpenBSD: if_urndis.c,v 1.31 2011/07/03 15:47:17 matthew Exp $ */ /* @@ -21,7 +21,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_urndis.c,v 1.6 2013/10/17 21:07:37 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_urndis.c,v 1.7 2014/07/05 09:30:08 skrll Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -513,7 +513,7 @@ urndis_ctrl_query(struct urndis_softc *s le32toh(msg->rm_devicevchdl))); rval = urndis_ctrl_send(sc, msg, sizeof(*msg)); - kmem_free(msg, sizeof(*msg)); + kmem_free(msg, sizeof(*msg) + qlen); if (rval != RNDIS_STATUS_SUCCESS) { printf("%s: query failed\n", DEVNAME(sc)); @@ -566,7 +566,7 @@ urndis_ctrl_set(struct urndis_softc *sc, le32toh(msg->rm_devicevchdl))); rval = urndis_ctrl_send(sc, msg, sizeof(*msg)); - kmem_free(msg, sizeof(*msg)); + kmem_free(msg, sizeof(*msg) + len); if (rval != RNDIS_STATUS_SUCCESS) { printf("%s: set failed\n", DEVNAME(sc));