Subject: Re: Repeatable panic in wi_read_bap
To: Paul Ripke <firstname.lastname@example.org>
From: Martin Husemann <email@example.com>
Date: 12/30/2002 13:48:36
On Mon, Dec 30, 2002 at 11:34:37PM +1100, Paul Ripke wrote:
> wi_read_bap(c06fd000,286,3c,ca45f018,54fe) at wi_read_bap+0x96
> wi_rx_intr(c06fd000,0,c01be614,c045ee7c,c06f1ec0) at wi_rx_intr+0x3c1
Hmm, wi_read_bap is called with a len of 0x54fe - this looks highly bogus,
as the mbuf that this is read into surely can not hold that much data ;-)
The call where this probably happens is in wi_rx_intr:
len = le16toh(frmhdr.wi_dat_len);
off = ALIGN(sizeof(struct ieee80211_frame));
wi_read_bap(sc, fid, sizeof(frmhdr),
m->m_data + sizeof(struct ieee80211_frame), len);
Probably the len from the received frame header should be sanity-checked?
I have no clue where the wrong header comes from, though.
Please file a PR!