On Mon, Jan 30, 2017 at 03:28:21PM +0100, Jeremie Courreges-Anglas wrote:
> 
> If fw_loadpage fails, the size passed to free(9) is bogus.  Always pass
> the size returned by load_firmware instead.  I hit this a few days ago,
> ok?

ok stsp@
 
> Index: rtwn.c
> ===================================================================
> RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v
> retrieving revision 1.12
> diff -u -p -p -u -r1.12 rtwn.c
> --- rtwn.c    26 Jan 2017 10:57:37 -0000      1.12
> +++ rtwn.c    30 Jan 2017 12:08:56 -0000
> @@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc
>  {
>       const struct r92c_fw_hdr *hdr;
>       u_char *fw, *ptr;
> -     size_t len;
> +     size_t len0, len;
>       uint32_t reg;
>       int mlen, ntries, page, error;
>  
>       /* Read firmware image from the filesystem. */
> -     error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len);
> +     error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0);
>       if (error)
>               return (error);
> +     len = len0;
>       if (len < sizeof(*hdr)) {
>               printf("%s: firmware too short\n", sc->sc_pdev->dv_xname);
>               error = EINVAL;
> @@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc
>               goto fail;
>       }
>   fail:
> -     free(fw, M_DEVBUF, len);
> +     free(fw, M_DEVBUF, len0);
>       return (error);
>  }
>  
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
> 

Reply via email to