Date: Wed, 26 May 2021 14:49:48 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 16f8f89c5c1f - main - cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on Message-ID: <202105261449.14QEnmqj082992@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=16f8f89c5c1f324a15a7e0607f03f041a230a572 commit 16f8f89c5c1f324a15a7e0607f03f041a230a572 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-26 14:02:19 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-26 14:45:40 +0000 cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on PR: 224927 MFC after: 1 week --- sys/dev/cxgb/cxgb_sge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/cxgb/cxgb_sge.c b/sys/dev/cxgb/cxgb_sge.c index f13d2f03180c..00b67880fcc8 100644 --- a/sys/dev/cxgb/cxgb_sge.c +++ b/sys/dev/cxgb/cxgb_sge.c @@ -2773,6 +2773,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs, if (mh->mh_tail == NULL) { log(LOG_ERR, "discarding intermediate descriptor entry\n"); m_freem(m); + m = NULL; break; } mh->mh_tail->m_next = m; @@ -2780,7 +2781,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs, mh->mh_head->m_pkthdr.len += len; break; } - if (cxgb_debug) + if (cxgb_debug && m != NULL) printf("len=%d pktlen=%d\n", m->m_len, m->m_pkthdr.len); done: if (++fl->cidx == fl->size)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105261449.14QEnmqj082992>