diff options
| author |   claudio <claudio@openbsd.org> | 2017-07-19 07:02:52 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2017-07-19 07:02:52 +0000 |
| commit | 39200eb47f7dfb64c84a00fac6236037a3b88611 (patch) | |
| tree | 6b9d2ffdee7e7fed11784dbf18748f30737e2266 | |
| parent | Fix double free in pppoe_dispatch_disc_pkt(). If m_pulldown() fails m is (diff) | |
| download | wireguard-openbsd-39200eb47f7dfb64c84a00fac6236037a3b88611.tar.xz wireguard-openbsd-39200eb47f7dfb64c84a00fac6236037a3b88611.zip | |
Fix possible double free in the TX dma ring handling. If the allocation of
the cluster fails in vte_init_tx_ring() the mbuf is removed but the slot
in the ring still holds the pointer. A possible call to vte_stop() would
then cause a double free. Again set pointer to NULL to prevent this.
Found by Ilja Van Sprundel
OK bluhm@
| -rw-r--r-- | sys/dev/pci/if_vte.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/dev/pci/if_vte.c b/sys/dev/pci/if_vte.c index 24517648dcf..1e50364ef22 100644 --- a/sys/dev/pci/if_vte.c +++ b/sys/dev/pci/if_vte.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vte.c,v 1.19 2017/01/22 10:17:38 dlg Exp $ */ +/* $OpenBSD: if_vte.c,v 1.20 2017/07/19 07:02:52 claudio Exp $ */ /*- * Copyright (c) 2010, Pyun YongHyeon <yongari@FreeBSD.org> * All rights reserved. @@ -1353,6 +1353,7 @@ vte_init_tx_ring(struct vte_softc *sc) MCLGET(sc->vte_cdata.vte_txmbufs[i], M_DONTWAIT); if (!(sc->vte_cdata.vte_txmbufs[i]->m_flags & M_EXT)) { m_freem(sc->vte_cdata.vte_txmbufs[i]); + sc->vte_cdata.vte_txmbufs[i] = NULL; return (ENOBUFS); } sc->vte_cdata.vte_txmbufs[i]->m_pkthdr.len = MCLBYTES; |