svn commit: r349945 - head/usr.sbin/bhyve
Sean Chittenden
seanc at FreeBSD.org
Fri Jul 12 18:17:37 UTC 2019
Author: seanc (ports committer)
Date: Fri Jul 12 18:17:35 2019
New Revision: 349945
URL: https://svnweb.freebsd.org/changeset/base/349945
Log:
usr.sbin/bhyve: prevent use-after-free in virtio scsi request handling
Coverity CID: 1393377
Approved by: araujo, jhb
Differential Revision: https://reviews.freebsd.org/D20915
Modified:
head/usr.sbin/bhyve/pci_virtio_scsi.c
Modified: head/usr.sbin/bhyve/pci_virtio_scsi.c
==============================================================================
--- head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:13:58 2019 (r349944)
+++ head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:17:35 2019 (r349945)
@@ -465,7 +465,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q,
int data_niov_in, data_niov_out;
void *ext_data_ptr = NULL;
uint32_t ext_data_len = 0, ext_sg_entries = 0;
- int err;
+ int err, nxferred;
seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in,
VTSCSI_IN_HEADER_LEN(sc));
@@ -544,10 +544,11 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q,
}
buf_to_iov(cmd_wr, VTSCSI_OUT_HEADER_LEN(sc), iov_out, niov_out, 0);
+ nxferred = VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled;
free(cmd_rd);
free(cmd_wr);
ctl_scsi_free_io(io);
- return (VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled);
+ return (nxferred);
}
static void
More information about the svn-src-head
mailing list