diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-19 07:02:53 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-19 07:02:53 +0000 |
| commit | ec37331668fe8c718e98889703c1f2a9d04def5b (patch) | |
| tree | 3e1db4c7dc44b827427242bd76a0eba9783bc6ae | |
| parent | 857c546f26a920622fb7df5a262f5b63e5033dda (diff) | |
Fix possible double free in the TX dma ring handling. If the allocation of
the cluster fails in vte_init_tx_ring() the mbuf is removed but the slot
in the ring still holds the pointer. A possible call to vte_stop() would
then cause a double free. Again set pointer to NULL to prevent this.
Found by Ilja Van Sprundel
OK bluhm@
| -rw-r--r-- | sys/dev/pci/if_vte.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/dev/pci/if_vte.c b/sys/dev/pci/if_vte.c index 24517648dcf..1e50364ef22 100644 --- a/sys/dev/pci/if_vte.c +++ b/sys/dev/pci/if_vte.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vte.c,v 1.19 2017/01/22 10:17:38 dlg Exp $ */ +/* $OpenBSD: if_vte.c,v 1.20 2017/07/19 07:02:52 claudio Exp $ */ /*- * Copyright (c) 2010, Pyun YongHyeon <yongari@FreeBSD.org> * All rights reserved. @@ -1353,6 +1353,7 @@ vte_init_tx_ring(struct vte_softc *sc) MCLGET(sc->vte_cdata.vte_txmbufs[i], M_DONTWAIT); if (!(sc->vte_cdata.vte_txmbufs[i]->m_flags & M_EXT)) { m_freem(sc->vte_cdata.vte_txmbufs[i]); + sc->vte_cdata.vte_txmbufs[i] = NULL; return (ENOBUFS); } sc->vte_cdata.vte_txmbufs[i]->m_pkthdr.len = MCLBYTES; |