On Mon, 11 May 2015 22:11:10 +0200
Maxime Villard <[email protected]> wrote:
> Hi,
> I put here two bugs among others:
>
> ------------------------ sys/dev/pci/hifn7751.c
> ------------------------
>
> 2757
> if (!(m0->m_flags & M_EXT))
> m_freem(m0);
> len = MCLBYTES;
>
> totlen -= len;
> m0->m_pkthdr.len = m0->m_len = len;
> mlast = m0;
>
> ------------------------------------------------------------------------
>
> Use-after-free with 'm0'.
>
> ------------------------ sys/dev/pci/hifn7751.c
> ------------------------
>
> 2766
> MGET(m, M_DONTWAIT, MT_DATA);
> if (m == NULL) {
> m_freem(m0);
> return (NULL);
> }
> MCLGET(m, M_DONTWAIT);
> if (!(m->m_flags & M_EXT)) {
> m_freem(m0);
> return (NULL);
> }
> len = MCLBYTES;
>
> ------------------------------------------------------------------------
>
> 'm' is leaked.
>
> Found by The Brainy Code Scanner.
>
> Maxime
>
If there are any other unresolved bugs your code scanner has found,
please do report them. It's better for everyone.
Is there any chance you would one day open source it, or tell us what
it is based on? :)
Thanks anyway!
