From 39200eb47f7dfb64c84a00fac6236037a3b88611 Mon Sep 17 00:00:00 2001 From: claudio Date: Wed, 19 Jul 2017 07:02:52 +0000 Subject: Fix possible double free in the TX dma ring handling. If the allocation of the cluster fails in vte_init_tx_ring() the mbuf is removed but the slot in the ring still holds the pointer. A possible call to vte_stop() would then cause a double free. Again set pointer to NULL to prevent this. Found by Ilja Van Sprundel OK bluhm@ --- sys/dev/pci/if_vte.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/pci/if_vte.c b/sys/dev/pci/if_vte.c index 24517648dcf..1e50364ef22 100644 --- a/sys/dev/pci/if_vte.c +++ b/sys/dev/pci/if_vte.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vte.c,v 1.19 2017/01/22 10:17:38 dlg Exp $ */ +/* $OpenBSD: if_vte.c,v 1.20 2017/07/19 07:02:52 claudio Exp $ */ /*- * Copyright (c) 2010, Pyun YongHyeon * All rights reserved. @@ -1353,6 +1353,7 @@ vte_init_tx_ring(struct vte_softc *sc) MCLGET(sc->vte_cdata.vte_txmbufs[i], M_DONTWAIT); if (!(sc->vte_cdata.vte_txmbufs[i]->m_flags & M_EXT)) { m_freem(sc->vte_cdata.vte_txmbufs[i]); + sc->vte_cdata.vte_txmbufs[i] = NULL; return (ENOBUFS); } sc->vte_cdata.vte_txmbufs[i]->m_pkthdr.len = MCLBYTES; -- cgit v1.2.3-59-g8ed1b