aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Chan <mchan@broadcom.com>2007-01-08 22:56:13 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2007-01-09 03:30:04 -0500
commite6be763f63420c334710a5a0818e6bfcf5d593f8 (patch)
tree7ff84d869b78f73b1ee22f9d9deff44899661263
parent253c8b75546c5f21d5321d691df92c1e84d9b0fb (diff)
[BNX2]: Fix bug in bnx2_nvram_write().
The bug was a bogus pointer being passed to kfree(). The pointer was incremented in the write loop and then passed to kfree(). The fix is to use align_buf to save the original address. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/bnx2.c20
1 files changed, 9 insertions, 11 deletions
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
index e325f9337225..08a77a36b4c6 100644
--- a/drivers/net/bnx2.c
+++ b/drivers/net/bnx2.c
@@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
3083 int buf_size) 3083 int buf_size)
3084{ 3084{
3085 u32 written, offset32, len32; 3085 u32 written, offset32, len32;
3086 u8 *buf, start[4], end[4], *flash_buffer = NULL; 3086 u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL;
3087 int rc = 0; 3087 int rc = 0;
3088 int align_start, align_end; 3088 int align_start, align_end;
3089 3089
@@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
3111 } 3111 }
3112 3112
3113 if (align_start || align_end) { 3113 if (align_start || align_end) {
3114 buf = kmalloc(len32, GFP_KERNEL); 3114 align_buf = kmalloc(len32, GFP_KERNEL);
3115 if (buf == NULL) 3115 if (align_buf == NULL)
3116 return -ENOMEM; 3116 return -ENOMEM;
3117 if (align_start) { 3117 if (align_start) {
3118 memcpy(buf, start, 4); 3118 memcpy(align_buf, start, 4);
3119 } 3119 }
3120 if (align_end) { 3120 if (align_end) {
3121 memcpy(buf + len32 - 4, end, 4); 3121 memcpy(align_buf + len32 - 4, end, 4);
3122 } 3122 }
3123 memcpy(buf + align_start, data_buf, buf_size); 3123 memcpy(align_buf + align_start, data_buf, buf_size);
3124 buf = align_buf;
3124 } 3125 }
3125 3126
3126 if (bp->flash_info->buffered == 0) { 3127 if (bp->flash_info->buffered == 0) {
@@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
3254 } 3255 }
3255 3256
3256nvram_write_end: 3257nvram_write_end:
3257 if (bp->flash_info->buffered == 0) 3258 kfree(flash_buffer);
3258 kfree(flash_buffer); 3259 kfree(align_buf);
3259
3260 if (align_start || align_end)
3261 kfree(buf);
3262 return rc; 3260 return rc;
3263} 3261}
3264 3262