Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 May 2021 06:05:06 GMT
From:      Ram Kishore Vegesna <ram@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 7377d3831bc8 - main - ocs_fc: Fix use after free bug in ocs_hw_async_call()
Message-ID:  <202105280605.14S656KI030530@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by ram:

URL: https://cgit.FreeBSD.org/src/commit/?id=7377d3831bc8abec2d6e5fee359d7383d4551feb

commit 7377d3831bc8abec2d6e5fee359d7383d4551feb
Author:     Ram Kishore Vegesna <ram@FreeBSD.org>
AuthorDate: 2021-05-28 05:51:10 +0000
Commit:     Ram Kishore Vegesna <ram@FreeBSD.org>
CommitDate: 2021-05-28 05:51:10 +0000

    ocs_fc: Fix use after free bug in ocs_hw_async_call()
    
    Freed ctx is used in the later callee ocs_hw_command(),
    which is a use after free bug.
    
    Return error if sli_cmd_common_nop() failed.
    
    PR: 255865
    Reported by: lylgood@foxmail.com
    Approved by:: markj
---
 sys/dev/ocs_fc/ocs_hw.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/dev/ocs_fc/ocs_hw.c b/sys/dev/ocs_fc/ocs_hw.c
index d28d5e4a08b7..aa7d5857d9d9 100644
--- a/sys/dev/ocs_fc/ocs_hw.c
+++ b/sys/dev/ocs_fc/ocs_hw.c
@@ -11778,7 +11778,6 @@ ocs_hw_async_cb(ocs_hw_t *hw, int32_t status, uint8_t *mqe, void *arg)
 int32_t
 ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
 {
-	int32_t rc = 0;
 	ocs_hw_async_call_ctx_t *ctx;
 
 	/*
@@ -11798,15 +11797,15 @@ ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
 	if (sli_cmd_common_nop(&hw->sli, ctx->cmd, sizeof(ctx->cmd), 0) == 0) {
 		ocs_log_err(hw->os, "COMMON_NOP format failure\n");
 		ocs_free(hw->os, ctx, sizeof(*ctx));
-		rc = -1;
+		return OCS_HW_RTN_ERROR;
 	}
 
 	if (ocs_hw_command(hw, ctx->cmd, OCS_CMD_NOWAIT, ocs_hw_async_cb, ctx)) {
 		ocs_log_err(hw->os, "COMMON_NOP command failure\n");
 		ocs_free(hw->os, ctx, sizeof(*ctx));
-		rc = -1;
+		return OCS_HW_RTN_ERROR;
 	}
-	return rc;
+	return OCS_HW_RTN_SUCCESS;
 }
 
 /**

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105280605.14S656KI030530>