The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/src/commit/?id=c4995b69db93fdab5fe375eae129aeff1cbca1bb
commit c4995b69db93fdab5fe375eae129aeff1cbca1bb Author: Philip Paeps <[email protected]> AuthorDate: 2022-07-08 03:49:54 +0000 Commit: Philip Paeps <[email protected]> CommitDate: 2022-07-08 03:49:54 +0000 ipmi: fix a use-after-free bug in error handling 18db96dbfd4a09063a0abcefd51fa8d2aeb115d6 introduced a use-after-free bug in the error handling of the IPMICTL_RECEIVE_MSG ioctl. Reported by: Coverity (CID 1490456) (via vangyzen) Differential Revision: https://reviews.freebsd.org/D35605 --- sys/dev/ipmi/ipmi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/ipmi/ipmi.c b/sys/dev/ipmi/ipmi.c index 7afafa492b6f..fd264dfc4c27 100644 --- a/sys/dev/ipmi/ipmi.c +++ b/sys/dev/ipmi/ipmi.c @@ -388,12 +388,13 @@ ipmi_ioctl(struct cdev *cdev, u_long cmd, caddr_t data, return (EAGAIN); } if (kreq->ir_error != 0) { + error = kreq->ir_error; TAILQ_REMOVE(&dev->ipmi_completed_requests, kreq, ir_link); dev->ipmi_requests--; IPMI_UNLOCK(sc); ipmi_free_request(kreq); - return (kreq->ir_error); + return (error); } recv->recv_type = IPMI_RESPONSE_RECV_TYPE;
