Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Feb 2017 23:20:22 +0000 (UTC)
From:      Andriy Voskoboinyk <avos@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r313906 - in head/sys/dev: iwi ral usb/wlan
Message-ID:  <201702172320.v1HNKMvU066049@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: avos
Date: Fri Feb 17 23:20:22 2017
New Revision: 313906
URL: https://svnweb.freebsd.org/changeset/base/313906

Log:
  iwi, ral, zyd: fix possible use-after-free.
  
  MFC after:	5 days

Modified:
  head/sys/dev/iwi/if_iwi.c
  head/sys/dev/ral/rt2661.c
  head/sys/dev/usb/wlan/if_zyd.c

Modified: head/sys/dev/iwi/if_iwi.c
==============================================================================
--- head/sys/dev/iwi/if_iwi.c	Fri Feb 17 22:51:34 2017	(r313905)
+++ head/sys/dev/iwi/if_iwi.c	Fri Feb 17 23:20:22 2017	(r313906)
@@ -1979,9 +1979,9 @@ iwi_start(struct iwi_softc *sc)
 		}
 		ni = (struct ieee80211_node *) m->m_pkthdr.rcvif;
 		if (iwi_tx_start(sc, m, ni, ac) != 0) {
-			ieee80211_free_node(ni);
 			if_inc_counter(ni->ni_vap->iv_ifp,
 			    IFCOUNTER_OERRORS, 1);
+			ieee80211_free_node(ni);
 			break;
 		}
 		sc->sc_tx_timer = 5;

Modified: head/sys/dev/ral/rt2661.c
==============================================================================
--- head/sys/dev/ral/rt2661.c	Fri Feb 17 22:51:34 2017	(r313905)
+++ head/sys/dev/ral/rt2661.c	Fri Feb 17 23:20:22 2017	(r313906)
@@ -1616,9 +1616,9 @@ rt2661_start(struct rt2661_softc *sc)
 		}
 		ni = (struct ieee80211_node *) m->m_pkthdr.rcvif;
 		if (rt2661_tx_data(sc, m, ni, ac) != 0) {
-			ieee80211_free_node(ni);
 			if_inc_counter(ni->ni_vap->iv_ifp,
 			    IFCOUNTER_OERRORS, 1);
+			ieee80211_free_node(ni);
 			break;
 		}
 		sc->sc_tx_timer = 5;

Modified: head/sys/dev/usb/wlan/if_zyd.c
==============================================================================
--- head/sys/dev/usb/wlan/if_zyd.c	Fri Feb 17 22:51:34 2017	(r313905)
+++ head/sys/dev/usb/wlan/if_zyd.c	Fri Feb 17 23:20:22 2017	(r313906)
@@ -2582,10 +2582,10 @@ zyd_start(struct zyd_softc *sc)
 	while (sc->tx_nfree > 0 && (m = mbufq_dequeue(&sc->sc_snd)) != NULL) {
 		ni = (struct ieee80211_node *)m->m_pkthdr.rcvif;
 		if (zyd_tx_start(sc, m, ni) != 0) {
-			ieee80211_free_node(ni);
 			m_freem(m);
 			if_inc_counter(ni->ni_vap->iv_ifp,
 			    IFCOUNTER_OERRORS, 1);
+			ieee80211_free_node(ni);
 			break;
 		}
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702172320.v1HNKMvU066049>