Fatal bug in Boomerang driver found

[Rob Riggs]

Gordon Oliver wrote:
> 
> this appears to have a one-off bug (vp->cur_rx is really more than INT_MAX)
> rather than use < 0 you could use == INT_MAX or >= (some large number)
> I'd suggest something like
>         if (vp->cur_rx > 1000000) {
>                 vp->dirty_rx -= vp->cur_rx;
>                 vp->cur_rx = 0;
>         }

It's worse than that. Both are also unsigned ints, and vp->cur_rx
is always >= vp->dirty_rx, meaning that, doing it this way,
vp->dirty_rx can become a rather large number. This really screws
us when filling the ring buffer with new skbs.

The best way to do this is:

	if (vp->cur_rx == (RX_RING_SIZE * 2)) {
		vp->dirty -= RX_RING_SIZE;
		vp->cur_rx -= RX_RING_SIZE;
	}

since vp->cur_rx - vp->dirty_rx is always <= RX_RING_SIZE.

I've already posted patch #3, and it fixes this bugger in
another (yet similar) manner.

-Rob
-- 
Rob Riggs                        Devil's Thumb Entertainment
Network Administrator            Boulder, CO - (303) 938-1200
rob@DevilsThumb.COM              http://www.DevilsThumb.COM/~rob
"The notion of errors is ill-defined." - IRIX 'netstat' man page