git: c4995b69db93 - main - ipmi: fix a use-after-free bug in error handling
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Jul 2022 03:50:45 UTC
The branch main has been updated by philip:
URL: https://cgit.FreeBSD.org/src/commit/?id=c4995b69db93fdab5fe375eae129aeff1cbca1bb
commit c4995b69db93fdab5fe375eae129aeff1cbca1bb
Author: Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2022-07-08 03:49:54 +0000
Commit: Philip Paeps <philip@FreeBSD.org>
CommitDate: 2022-07-08 03:49:54 +0000
ipmi: fix a use-after-free bug in error handling
18db96dbfd4a09063a0abcefd51fa8d2aeb115d6 introduced a use-after-free bug
in the error handling of the IPMICTL_RECEIVE_MSG ioctl.
Reported by: Coverity (CID 1490456) (via vangyzen)
Differential Revision: https://reviews.freebsd.org/D35605
---
sys/dev/ipmi/ipmi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/dev/ipmi/ipmi.c b/sys/dev/ipmi/ipmi.c
index 7afafa492b6f..fd264dfc4c27 100644
--- a/sys/dev/ipmi/ipmi.c
+++ b/sys/dev/ipmi/ipmi.c
@@ -388,12 +388,13 @@ ipmi_ioctl(struct cdev *cdev, u_long cmd, caddr_t data,
return (EAGAIN);
}
if (kreq->ir_error != 0) {
+ error = kreq->ir_error;
TAILQ_REMOVE(&dev->ipmi_completed_requests, kreq,
ir_link);
dev->ipmi_requests--;
IPMI_UNLOCK(sc);
ipmi_free_request(kreq);
- return (kreq->ir_error);
+ return (error);
}
recv->recv_type = IPMI_RESPONSE_RECV_TYPE;