Date: Fri, 8 Jul 2022 03:50:45 GMT From: Philip Paeps <philip@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: c4995b69db93 - main - ipmi: fix a use-after-free bug in error handling Message-ID: <202207080350.2683ojeH032182@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=c4995b69db93fdab5fe375eae129aeff1cbca1bb commit c4995b69db93fdab5fe375eae129aeff1cbca1bb Author: Philip Paeps <philip@FreeBSD.org> AuthorDate: 2022-07-08 03:49:54 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2022-07-08 03:49:54 +0000 ipmi: fix a use-after-free bug in error handling 18db96dbfd4a09063a0abcefd51fa8d2aeb115d6 introduced a use-after-free bug in the error handling of the IPMICTL_RECEIVE_MSG ioctl. Reported by: Coverity (CID 1490456) (via vangyzen) Differential Revision: https://reviews.freebsd.org/D35605 --- sys/dev/ipmi/ipmi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/ipmi/ipmi.c b/sys/dev/ipmi/ipmi.c index 7afafa492b6f..fd264dfc4c27 100644 --- a/sys/dev/ipmi/ipmi.c +++ b/sys/dev/ipmi/ipmi.c @@ -388,12 +388,13 @@ ipmi_ioctl(struct cdev *cdev, u_long cmd, caddr_t data, return (EAGAIN); } if (kreq->ir_error != 0) { + error = kreq->ir_error; TAILQ_REMOVE(&dev->ipmi_completed_requests, kreq, ir_link); dev->ipmi_requests--; IPMI_UNLOCK(sc); ipmi_free_request(kreq); - return (kreq->ir_error); + return (error); } recv->recv_type = IPMI_RESPONSE_RECV_TYPE;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207080350.2683ojeH032182>