>Number:         25676
>Category:       kern
>Synopsis:       Incorrect buffer usage in umass CBI transfers
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 22 21:45:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     darkstar@city-net.com
>Release:        NetBSD 1.6ZK
>Organization:
>Environment:
>Description:
>How-To-Repeat:
>Fix:

Index: umass.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/umass.c,v
retrieving revision 1.109
diff -u -r1.109 umass.c
--- umass.c	4 Dec 2003 13:57:31 -0000	1.109
+++ umass.c	22 May 2004 21:18:15 -0000
@@ -1489,7 +1489,7 @@
 		sc->transfer_state = TSTATE_CBI_DATA;
 		if (sc->transfer_dir == DIR_IN) {
 			if (umass_setup_transfer(sc, sc->sc_pipe[UMASS_BULKIN],
-					sc->transfer_data, sc->transfer_datalen,
+					sc->data_buffer, sc->transfer_datalen,
 					USBD_SHORT_XFER_OK | USBD_NO_COPY,
 					sc->transfer_xfer[XFER_CBI_DATA]))
 				umass_cbi_reset(sc, STATUS_WIRE_FAILED);
@@ -1499,7 +1499,7 @@
 			memcpy(sc->data_buffer, sc->transfer_data,
 			       sc->transfer_datalen);
 			if (umass_setup_transfer(sc, sc->sc_pipe[UMASS_BULKOUT],
-					sc->transfer_data, sc->transfer_datalen,
+					sc->data_buffer, sc->transfer_datalen,
 					USBD_NO_COPY,/* fixed length transfer */
 					sc->transfer_xfer[XFER_CBI_DATA]))
 				umass_cbi_reset(sc, STATUS_WIRE_FAILED);


>Release-Note:
>Audit-Trail:
>Unformatted: