Remove a couple of explicit memset(0) ops that were zeroing past the end of

an allocation. This fixes the malloc 'use after free' panic on boot that many were seeing. It doesn't solve the problem of the allocations being cached and then written past their bounds later. That will take more work. Submitted by: kan
svn path=/head/; revision=151075
2005-10-08 05:16:45 +00:00 · 2005-10-08 05:16:45 +00:00 · a3699bcaa6 · 2020-12-20 02:59:44 +00:00
commit a3699bcaa6
parent ad45bb822d
1 changed files with 2 additions and 4 deletions
--- a/sys/dev/mpt/mpt.c
+++ b/sys/dev/mpt/mpt.c
@ -1447,10 +1447,9 @@ mpt_read_config_info_ioc(struct mpt_softc *mpt)
 		 hdr.PageNumber, hdr.PageType);

 	len = hdr.PageLength * sizeof(uint32_t);
-	mpt->ioc_page2 = malloc(len, M_DEVBUF, M_NOWAIT);
+	mpt->ioc_page2 = malloc(len, M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (mpt->ioc_page2 == NULL)
 		return (ENOMEM);
-	memset(mpt->ioc_page2, 0, sizeof(*mpt->ioc_page2));
 	memcpy(&mpt->ioc_page2->Header, &hdr, sizeof(hdr));
 	rv = mpt_read_cur_cfg_page(mpt, /*PageAddress*/0,
 				   &mpt->ioc_page2->Header, len,
@ -1555,10 +1554,9 @@ mpt_read_config_info_ioc(struct mpt_softc *mpt)
 	if (mpt->ioc_page3 != NULL)
 		free(mpt->ioc_page3, M_DEVBUF);
 	len = hdr.PageLength * sizeof(uint32_t);
-	mpt->ioc_page3 = malloc(len, M_DEVBUF, M_NOWAIT);
+	mpt->ioc_page3 = malloc(len, M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (mpt->ioc_page3 == NULL)
 		return (-1);
-	memset(mpt->ioc_page3, 0, sizeof(*mpt->ioc_page3));
 	memcpy(&mpt->ioc_page3->Header, &hdr, sizeof(hdr));
 	rv = mpt_read_cur_cfg_page(mpt, /*PageAddress*/0,
 				   &mpt->ioc_page3->Header, len,