Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Dec 2021 10:03:47 GMT
From:      Ram Kishore Vegesna <ram@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: fa3e66e9f7cd - stable/12 - ocs_fc: Fix use after free bug in ocs_hw_async_call()
Message-ID:  <202112171003.1BHA3lt6051913@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by ram:

URL: https://cgit.FreeBSD.org/src/commit/?id=fa3e66e9f7cd903050454fc284e2709a9e28e651

commit fa3e66e9f7cd903050454fc284e2709a9e28e651
Author:     Ram Kishore Vegesna <ram@FreeBSD.org>
AuthorDate: 2021-05-28 05:51:10 +0000
Commit:     Ram Kishore Vegesna <ram@FreeBSD.org>
CommitDate: 2021-12-17 09:45:59 +0000

    ocs_fc: Fix use after free bug in ocs_hw_async_call()
    
    Freed ctx is used in the later callee ocs_hw_command(),
    which is a use after free bug.
    
    Return error if sli_cmd_common_nop() failed.
    
    PR: 255865
    Reported by: lylgood@foxmail.com
    Approved by:: markj
    
    (cherry picked from commit 7377d3831bc8abec2d6e5fee359d7383d4551feb)
---
 sys/dev/ocs_fc/ocs_hw.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/dev/ocs_fc/ocs_hw.c b/sys/dev/ocs_fc/ocs_hw.c
index 9cbb3f67e306..c77e17663836 100644
--- a/sys/dev/ocs_fc/ocs_hw.c
+++ b/sys/dev/ocs_fc/ocs_hw.c
@@ -11808,7 +11808,6 @@ ocs_hw_async_cb(ocs_hw_t *hw, int32_t status, uint8_t *mqe, void *arg)
 int32_t
 ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
 {
-	int32_t rc = 0;
 	ocs_hw_async_call_ctx_t *ctx;
 
 	/*
@@ -11828,15 +11827,15 @@ ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
 	if (sli_cmd_common_nop(&hw->sli, ctx->cmd, sizeof(ctx->cmd), 0) == 0) {
 		ocs_log_err(hw->os, "COMMON_NOP format failure\n");
 		ocs_free(hw->os, ctx, sizeof(*ctx));
-		rc = -1;
+		return OCS_HW_RTN_ERROR;
 	}
 
 	if (ocs_hw_command(hw, ctx->cmd, OCS_CMD_NOWAIT, ocs_hw_async_cb, ctx)) {
 		ocs_log_err(hw->os, "COMMON_NOP command failure\n");
 		ocs_free(hw->os, ctx, sizeof(*ctx));
-		rc = -1;
+		return OCS_HW_RTN_ERROR;
 	}
-	return rc;
+	return OCS_HW_RTN_SUCCESS;
 }
 
 /**

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112171003.1BHA3lt6051913>