use after free bugs
YONETANI Tomokazu
qhwt+dragonfly-submit at les.ath.cx
Sun Feb 22 05:00:39 PST 2004
On Thu, Feb 19, 2004 at 05:43:53PM -0800, Ted Unangst wrote:
> Hi. These are some bugs found by Coverity in a static analysis run on the
> FreeBSD kernel. All these are use after free bugs.
[snip]
> [UNINSPECTED]
> X [BUG]
> X [FALSE]
> X [UNKNOWN]
> X [BROKE]
> X [SKIP]
> /home/tedu/sys/dev/ips/ips_commands.c|517|ips_ffdc_reset|ERROR|FREE|514|517| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
>
> status = malloc(sizeof(ips_cmd_status_t), M_DEVBUF, M_NOWAIT|M_ZERO);
> if(!status)
> return ENOMEM;
> if(ips_get_free_cmd(sc, ips_send_ffdc_reset_cmd, status,
> IPS_NOWAIT_FLAG)){
> Start --->
> free(status, M_DEVBUF);
> device_printf(sc->dev, "ERROR: unable to get a command! can't send ffdc reset!\n");
> }
> Error --->
> if(COMMAND_ERROR(status)){
> device_printf(sc->dev, "ERROR: ffdc reset command failed!\n");
> }
> free(status, M_DEVBUF);
> return 0;
> }
> ---------------------------------------------------------
Attached patch should fix this, as well as other places similar to
this. Tested that both gcc2 and gcc3 compiled the patched code.
Regards.
Attachment:
ips.diff.gz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bin00002.bin
Type: application/octet-stream
Size: 446 bytes
Desc: "Description: application/gunzip"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20040222/b56096c9/attachment-0018.bin>
More information about the Submit
mailing list