Module Name: src
Committed By: maxv
Date: Mon Aug 15 08:52:33 UTC 2016
Modified Files:
src/sys/dev/microcode/aic7xxx: aicasm.c
Log Message:
This thing is completely buggy. There is a use-after-free and NULL pointer
dereference. Just fix the uaf, and add a comment. Not tested, but obvious
enough; found by brainy.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/dev/microcode/aic7xxx/aicasm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/microcode/aic7xxx/aicasm.c
diff -u src/sys/dev/microcode/aic7xxx/aicasm.c:1.8 src/sys/dev/microcode/aic7xxx/aicasm.c:1.9
--- src/sys/dev/microcode/aic7xxx/aicasm.c:1.8 Sun Dec 27 16:03:49 2009
+++ src/sys/dev/microcode/aic7xxx/aicasm.c Mon Aug 15 08:52:33 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $ */
+/* $NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $ */
/*
* Aic7xxx SCSI host adapter firmware asssembler
@@ -43,7 +43,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $");
+__RCSID("$NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -595,6 +595,7 @@ output_listing(char *ifilename)
putchar(input);
}
free(func_values);
+ func_values = NULL;
fprintf(stdout, "\nThanks!\n");
}
@@ -604,6 +605,11 @@ output_listing(char *ifilename)
cur_instr != NULL;
cur_instr = STAILQ_NEXT(cur_instr, links), instrcount++) {
+ /*
+ * XXX XXX XXX: What exactly are we trying to do here?
+ * 'func_values' is always NULL, so check_patch will
+ * necessarily crash.
+ */
if (check_patch(&cur_patch, instrcount,
&skip_addr, func_values) == 0) {
/* Don't count this instruction as it is in a patch
