Spotted by LLVM static analyser. In /usr/src/sys/dev/ic/ami.c line 499 ami_freemem(sc, am) is called. In the next block ami_alloc_ccbs(...) is called. If the result != 0 control jumps to free_mbox in line 614. This falls through to call ami_freemem(sc, am) again.
- Use after free in ami(4) Arto Jonsson
- Re: Use after free in ami(4) Kenneth R Westerback
- Re: Use after free in ami(4) Jonathan Gray
- Re: Use after free in ami(4) Kenneth R Westerback
- Re: Use after free in ami(4) Federico Schwindt
- Re: Use after free in ami(4) Jonathan Gray
- Re: Use after free in ami(4... Mark Kettenis
- Re: Use after free in ami(4... Kenneth R Westerback
