Detection bug: If a packet is received while in the match() routine the stack

would be overwritten, so allocate memory for a full packet via malloc()
instead. Use correct buffer maxlen (must be 2 complemet). Bug reported
and helped to find by Roar Thronæs.

sys/dev/qbus/if_qe.c

@@ -1,4 +1,4 @@
-/*      $NetBSD: if_qe.c,v 1.50 2002/05/22 16:03:17 wiz Exp $ */
+/*      $NetBSD: if_qe.c,v 1.51 2002/06/08 12:28:37 ragge Exp $ */
 /*
  * Copyright (c) 1999 Ludd, University of Lule}, Sweden. All rights reserved.
  *
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_qe.c,v 1.50 2002/05/22 16:03:17 wiz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_qe.c,v 1.51 2002/06/08 12:28:37 ragge Exp $");
 
 #include "opt_inet.h"
 #include "bpfilter.h"
@@ -139,11 +139,12 @@ qematch(struct device *parent, struct cfdata *cf, void *aux)
 	struct	uba_softc *ubasc = (struct uba_softc *)parent;
 	struct ubinfo ui;
 
-#define	PROBESIZE	(sizeof(struct qe_ring) * 4 + 128)
-	struct	qe_ring ring[15]; /* For diag purposes only */
+#define	PROBESIZE	4096
+	struct qe_ring *ring;
 	struct	qe_ring *rp;
 	int error;
 
+	ring = malloc(PROBESIZE, M_TEMP, M_WAITOK);
 	bzero(sc, sizeof(struct qe_softc));
 	bzero(ring, PROBESIZE);
 	sc->sc_iot = ua->ua_iot;
@@ -172,12 +173,12 @@ qematch(struct device *parent, struct cfdata *cf, void *aux)
 	ring[0].qe_flag = ring[0].qe_status1 = QE_NOTYET;
 	ring[0].qe_addr_lo = LOWORD(&rp[4]);
 	ring[0].qe_addr_hi = HIWORD(&rp[4]) | QE_VALID | QE_EOMSG | QE_SETUP;
-	ring[0].qe_buf_len = 128;
+	ring[0].qe_buf_len = -64;
 
 	ring[2].qe_flag = ring[2].qe_status1 = QE_NOTYET;
 	ring[2].qe_addr_lo = LOWORD(&rp[4]);
 	ring[2].qe_addr_hi = HIWORD(&rp[4]) | QE_VALID;
-	ring[2].qe_buf_len = 128;
+	ring[2].qe_buf_len = -(1500/2);
 
 	QE_WCSR(QE_CSR_CSR, QE_RCSR(QE_CSR_CSR) & ~QE_RESET);
 	DELAY(1000);
@@ -196,6 +197,7 @@ qematch(struct device *parent, struct cfdata *cf, void *aux)
 	 * All done with the bus resources.
 	 */
 	ubfree((void *)parent, &ui);
+	free(ring, M_TEMP);
 	return 1;
 }