git: 7597246911f8 - stable/13 - nvmecontrol wdc: Don't pass a bogus pointer to free().
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 11 Nov 2022 18:36:58 UTC
The branch stable/13 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=7597246911f89d29294be46d2d3c84b215d3a4e9
commit 7597246911f89d29294be46d2d3c84b215d3a4e9
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-10-03 23:10:44 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-11 18:18:54 +0000
nvmecontrol wdc: Don't pass a bogus pointer to free().
wdc_get_dui_log_size allocates a buffer and then advances the
returned pointer. Passing this advanced pointer to free() is UB,
so save the original pointer to pass to free() instead.
Reviewed by: imp
Reported by: GCC 12 -Wfree-nonheap-object
Differential Revision: https://reviews.freebsd.org/D36827
(cherry picked from commit 1187e46d1b3833b9b54867a5587904c451369515)
---
sbin/nvmecontrol/modules/wdc/wdc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sbin/nvmecontrol/modules/wdc/wdc.c b/sbin/nvmecontrol/modules/wdc/wdc.c
index a60f72942186..1cae15a1e54c 100644
--- a/sbin/nvmecontrol/modules/wdc/wdc.c
+++ b/sbin/nvmecontrol/modules/wdc/wdc.c
@@ -268,7 +268,7 @@ static void
wdc_get_dui_log_size(int fd, uint32_t opcode, uint8_t data_area,
uint64_t *log_size, int len_off)
{
- uint8_t *hdr;
+ uint8_t *hdr, *tofree;
uint8_t max_sections;
int i, j;
uint16_t hdr_ver;
@@ -277,7 +277,7 @@ wdc_get_dui_log_size(int fd, uint32_t opcode, uint8_t data_area,
dui_size = 0;
len = 1024;
- hdr = (uint8_t*)malloc(len);
+ tofree = hdr = (uint8_t*)malloc(len);
if (hdr == NULL)
errx(EX_OSERR, "Can't get buffer to read header");
wdc_get_data_dui(fd, opcode, len, 0, hdr, len);
@@ -315,7 +315,7 @@ wdc_get_dui_log_size(int fd, uint32_t opcode, uint8_t data_area,
errx(EX_PROTOCOL, "ERROR : No valid header ");
*log_size = dui_size;
- free(hdr);
+ free(tofree);
}
static void