use after free bugs

YONETANI Tomokazu qhwt+dragonfly-submit at les.ath.cx
Sun Feb 22 05:00:39 PST 2004


On Thu, Feb 19, 2004 at 05:43:53PM -0800, Ted Unangst wrote:
> Hi.  These are some bugs found by Coverity in a static analysis run on the
> FreeBSD kernel.  All these are use after free bugs.

[snip]

> [UNINSPECTED]
> X [BUG]
> X [FALSE]
> X [UNKNOWN]
> X [BROKE]
> X [SKIP]
> /home/tedu/sys/dev/ips/ips_commands.c|517|ips_ffdc_reset|ERROR|FREE|514|517| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
> 
> 	status = malloc(sizeof(ips_cmd_status_t), M_DEVBUF, M_NOWAIT|M_ZERO);
> 	if(!status)
> 		return ENOMEM;
> 	if(ips_get_free_cmd(sc, ips_send_ffdc_reset_cmd, status,
> 			    IPS_NOWAIT_FLAG)){
> Start --->
> 		free(status, M_DEVBUF);
> 		device_printf(sc->dev, "ERROR: unable to get a command! can't send ffdc reset!\n");
> 	}
> Error --->
> 	if(COMMAND_ERROR(status)){
> 		device_printf(sc->dev, "ERROR: ffdc reset command failed!\n");
> 	}
> 	free(status, M_DEVBUF);
> 	return 0;
> }
> ---------------------------------------------------------

Attached patch should fix this, as well as other places similar to
this. Tested that both gcc2 and gcc3 compiled the patched code.

Regards.
Attachment:
ips.diff.gz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bin00002.bin
Type: application/octet-stream
Size: 446 bytes
Desc: "Description: application/gunzip"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20040222/b56096c9/attachment-0016.bin>


More information about the Submit mailing list