Date: Fri, 14 May 2021 10:34:41 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255864] [PATCH] dev/core: Fix a double free in oce_tx Message-ID: <bug-255864-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255864 Bug ID: 255864 Summary: [PATCH] dev/core: Fix a double free in oce_tx Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224928 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D224928&action= =3Dedit set *mpp to NULL Bug File: sys/dev/oce/oce_if.c In function oce_tx, it calls oce_tso_setup(..,mpp) at line 1,087. Inside oce_tso_setup, m is assigned with *mpp, and then m is freed by the b= ad branch of callee m_pullup() at line 1,332 and returns NULL. Now, *mpp point= s to a freed memory object. After oce_tso_setup() returns NULL, the execution comes to the free_ret bra= nch of oce_tx. Then, *mpp is freed again via m_freem() at line 1,229. As m_pullup() returns NULL if *mpp is freed, my patch set *mpp to NULL by=20 "*mpp =3D m" to avoid the double free. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255864-227>