Re: Brainy: Kernel Use-after-free & Memory Leak in hifn

Tue, 12 May 2015 05:58:40 -0700 

On Mon, May 11, 2015 at 22:11 +0200, Maxime Villard wrote:
> Hi,
> I put here two bugs among others:
> 
> ------------------------ sys/dev/pci/hifn7751.c ------------------------
> 
> 2757
>       if (!(m0->m_flags & M_EXT))
>               m_freem(m0);
>       len = MCLBYTES;
> 
>       totlen -= len;
>       m0->m_pkthdr.len = m0->m_len = len;
>       mlast = m0;
> 
> ------------------------------------------------------------------------
> 
> Use-after-free with 'm0'.
> 
> ------------------------ sys/dev/pci/hifn7751.c ------------------------
> 
> 2766
>               MGET(m, M_DONTWAIT, MT_DATA);
>               if (m == NULL) {
>                       m_freem(m0);
>                       return (NULL);
>               }
>               MCLGET(m, M_DONTWAIT);
>               if (!(m->m_flags & M_EXT)) {
>                       m_freem(m0);
>                       return (NULL);
>               }
>               len = MCLBYTES;
> 
> ------------------------------------------------------------------------
> 
> 'm' is leaked.
> 
> Found by The Brainy Code Scanner.
> 
> Maxime
> 

Fixed in -current.  Thanks for reporting!

Reply via email to