git: 16f8f89c5c1f - main - cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on
Mark Johnston
markj at FreeBSD.org
Wed May 26 14:49:49 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=16f8f89c5c1f324a15a7e0607f03f041a230a572
commit 16f8f89c5c1f324a15a7e0607f03f041a230a572
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-05-26 14:02:19 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-05-26 14:45:40 +0000
cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on
PR: 224927
MFC after: 1 week
---
sys/dev/cxgb/cxgb_sge.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/dev/cxgb/cxgb_sge.c b/sys/dev/cxgb/cxgb_sge.c
index f13d2f03180c..00b67880fcc8 100644
--- a/sys/dev/cxgb/cxgb_sge.c
+++ b/sys/dev/cxgb/cxgb_sge.c
@@ -2773,6 +2773,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
if (mh->mh_tail == NULL) {
log(LOG_ERR, "discarding intermediate descriptor entry\n");
m_freem(m);
+ m = NULL;
break;
}
mh->mh_tail->m_next = m;
@@ -2780,7 +2781,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
mh->mh_head->m_pkthdr.len += len;
break;
}
- if (cxgb_debug)
+ if (cxgb_debug && m != NULL)
printf("len=%d pktlen=%d\n", m->m_len, m->m_pkthdr.len);
done:
if (++fl->cidx == fl->size)
More information about the dev-commits-src-all
mailing list