Date: Fri, 12 Jul 2019 18:17:36 +0000 (UTC) From: Sean Chittenden <seanc@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349945 - head/usr.sbin/bhyve Message-ID: <201907121817.x6CIHa03028894@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: seanc (ports committer) Date: Fri Jul 12 18:17:35 2019 New Revision: 349945 URL: https://svnweb.freebsd.org/changeset/base/349945 Log: usr.sbin/bhyve: prevent use-after-free in virtio scsi request handling Coverity CID: 1393377 Approved by: araujo, jhb Differential Revision: https://reviews.freebsd.org/D20915 Modified: head/usr.sbin/bhyve/pci_virtio_scsi.c Modified: head/usr.sbin/bhyve/pci_virtio_scsi.c ============================================================================== --- head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:13:58 2019 (r349944) +++ head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:17:35 2019 (r349945) @@ -465,7 +465,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, int data_niov_in, data_niov_out; void *ext_data_ptr = NULL; uint32_t ext_data_len = 0, ext_sg_entries = 0; - int err; + int err, nxferred; seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in, VTSCSI_IN_HEADER_LEN(sc)); @@ -544,10 +544,11 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, } buf_to_iov(cmd_wr, VTSCSI_OUT_HEADER_LEN(sc), iov_out, niov_out, 0); + nxferred = VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled; free(cmd_rd); free(cmd_wr); ctl_scsi_free_io(io); - return (VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled); + return (nxferred); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907121817.x6CIHa03028894>