From nobody@FreeBSD.org  Fri Mar  4 23:20:39 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 96B7C16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  4 Mar 2005 23:20:39 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A60843D1F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  4 Mar 2005 23:20:39 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j24NKcrv059960
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 4 Mar 2005 23:20:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j24NKcOs059959;
	Fri, 4 Mar 2005 23:20:38 GMT
	(envelope-from nobody)
Message-Id: <200503042320.j24NKcOs059959@www.freebsd.org>
Date: Fri, 4 Mar 2005 23:20:38 GMT
From: Iain Hibbert <plunky@rya-online.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bt3c device driver sends too many bytes
X-Send-Pr-Version: www-2.3

>Number:         78431
>Category:       kern
>Synopsis:       bt3c device driver sends too many bytes
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    emax
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 04 23:30:16 GMT 2005
>Closed-Date:    Wed Apr 06 22:20:32 GMT 2005
>Last-Modified:  Wed Apr 06 22:20:32 GMT 2005
>Originator:     Iain Hibbert
>Release:        NetBSD 2.0 :)
>Organization:
NetBSD
>Environment:
latest source on CVS server
>Description:
I am writing a device driver on NetBSD for the bt3c device and using your source as a reference.

In the file src/sys/netgraph/bluetooth/drivers/bt3c/ng_bt3c_pccard.c that is to say the bt3c device driver, in function bt3c_send(), on line 1100. there is a loop like thus:

len = min((BT3C_FIFO_SIZE - wrote), m->m_len)

for(i = 0; i < m->m_len ; i++)
        bt3c_write_data(sc, m->m_data[i]);

to send data from the mbuf to the bt3c device. If you look at the control loop, it should not be using m->m_len there because it might be bigger than the space left in the fifo.  The line before works out the correct number of bytes to write, so the loop should use that figure, as in:

for (i = 0 ; i < len ; i++)
        bt3c_write_data(sc, ...)



>How-To-Repeat:
      I'm not sure that it is a problem, since I am not running FreeBSD, the code as - is will just put too many bytes in the FIFO but since it was full then maybe nothing would happen in any case, who can tell..
>Fix:
      see above.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: emax 
State-Changed-When: Wed Apr 6 22:06:22 GMT 2005 
State-Changed-Why:  
yes, looks like typo 



Responsible-Changed-From-To: freebsd-bugs->emax 
Responsible-Changed-By: emax 
Responsible-Changed-When: Wed Apr 6 22:06:22 GMT 2005 
Responsible-Changed-Why:  
yes, looks like typo 


http://www.freebsd.org/cgi/query-pr.cgi?pr=78431 
State-Changed-From-To: analyzed->closed 
State-Changed-By: emax 
State-Changed-When: Wed Apr 6 22:19:57 GMT 2005 
State-Changed-Why:  
fix committed to -current. mfc to releng_5 in 3 days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78431 
>Unformatted:
