On Mon, May 11, 2015 at 22:11 +0200, Maxime Villard wrote: > Hi, > I put here two bugs among others: > > ------------------------ sys/dev/pci/hifn7751.c ------------------------ > > 2757 > if (!(m0->m_flags & M_EXT)) > m_freem(m0); > len = MCLBYTES; > > totlen -= len; > m0->m_pkthdr.len = m0->m_len = len; > mlast = m0; > > ------------------------------------------------------------------------ > > Use-after-free with 'm0'. > > ------------------------ sys/dev/pci/hifn7751.c ------------------------ > > 2766 > MGET(m, M_DONTWAIT, MT_DATA); > if (m == NULL) { > m_freem(m0); > return (NULL); > } > MCLGET(m, M_DONTWAIT); > if (!(m->m_flags & M_EXT)) { > m_freem(m0); > return (NULL); > } > len = MCLBYTES; > > ------------------------------------------------------------------------ > > 'm' is leaked. > > Found by The Brainy Code Scanner. > > Maxime >
Fixed in -current. Thanks for reporting!