From f7a5f7371a284ce3fc46d633926bea6938f7ecc0 Mon Sep 17 00:00:00 2001 From: Pyun YongHyeon Date: Fri, 14 May 2010 17:39:28 +0000 Subject: If controller received bad frames make sure to update newly added RFA. Also drop frames that have either CRC error or alignment error. Normally bad frames are not received at all. But controllers running in promiscuous mode will receive bad frames. 82557 will also receive bad frames to receive VLAN oversized frames. While I'm here mark RNR condition if driver happen to see RNR in RFA status and restart RU to receive frames again. Because driver checks all received frames in RX loop, RNR condition could be set in the middle of RX processing. Just relying on RNR interrupt was not enough. This change fixes "Memory modified after free" issue when fxp(4) is running as a member of if_bridge(4). Tested by: Larry Baird gta dot com> MFC after: 5 days --- sys/dev/fxp/if_fxp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'sys/dev/fxp') diff --git a/sys/dev/fxp/if_fxp.c b/sys/dev/fxp/if_fxp.c index 006ec526b59a..079ecc1e82d9 100644 --- a/sys/dev/fxp/if_fxp.c +++ b/sys/dev/fxp/if_fxp.c @@ -1916,6 +1916,8 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack, if ((status & FXP_RFA_STATUS_C) == 0) break; + if ((status & FXP_RFA_STATUS_RNR) != 0) + rnr++; /* * Advance head forward. */ @@ -1942,9 +1944,12 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack, total_len -= 2; } if (total_len < sizeof(struct ether_header) || - total_len > MCLBYTES - RFA_ALIGNMENT_FUDGE - - sc->rfa_size || status & FXP_RFA_STATUS_CRC) { + total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - + sc->rfa_size) || + status & (FXP_RFA_STATUS_CRC | + FXP_RFA_STATUS_ALIGN)) { m_freem(m); + fxp_add_rfabuf(sc, rxp); continue; } -- cgit v1.2.3