From owner-freebsd-hackers@FreeBSD.ORG  Mon Aug 23 17:28:40 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0CC4016A4CE
	for <hackers@freebsd.org>; Mon, 23 Aug 2004 17:28:40 +0000 (GMT)
Received: from coverity.dreamhost.com (coverity.dreamhost.com [66.33.192.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0216943D1F
	for <hackers@freebsd.org>; Mon, 23 Aug 2004 17:28:40 +0000 (GMT)
	(envelope-from tedu@coverity.com)
Received: from coverity.com (dsl093-171-098.sfo4.dsl.speakeasy.net
	[66.93.171.98])	by coverity.dreamhost.com (Postfix) with ESMTP
	id 74A9E90888; Mon, 23 Aug 2004 10:28:39 -0700 (PDT)
Message-ID: <412A27FB.8030207@coverity.com>
Date: Mon, 23 Aug 2004 10:23:07 -0700
From: Ted Unangst <tedu@coverity.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Julian Elischer <julian@elischer.org>
References: <41263E77.5040500@coverity.com> <4126F9B3.8050900@elischer.org>
In-Reply-To: <4126F9B3.8050900@elischer.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 24 Aug 2004 12:03:13 +0000
cc: hackers@freebsd.org
Subject: Re: use after free bugs
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2004 17:28:40 -0000

Julian Elischer wrote:
> Ted Unangst wrote:
> 
>> these are results from running Coverity's analysis over Freebsd 4.10 
>> kernel.
>> two improper loops:
>> if_ef.c:566 and atapi-all.c
>>
>> ng_socket.c:  possible double free of resp 815 and 870, depending on 
>> caller context.  is this possible?
>>
> 
> I'm not seeing it..
> 
> Can you show the lines in the version that is being examined?
> (So I can be sure I'm looking at the right code)
> (and how do I interpret the above report?  815 and 870 are freeing 
> different things.)

sorry, typo.  the file is ng_ksocket.c.
case NGM_KSOCKET_GETOPT:
if (error = sogetoopt()))
FREE(resp, M_NETGRAPH);
...
if (rptr)
*rptr = resp;
else if (resp)
FREE(resp, M_NETGRAPH);

i'm not sure if rptr is tied to the typecookie or not.