Hi,
I put here a bug among others:
-------------------------- sys/dev/pci/if_bnx.c ------------------------
if ((status & L2_FHDR_STATUS_L2_VLAN_TAG) &&
!(sc->rx_mode & BNX_EMAC_RX_MODE_KEEP_VLAN_TAG)) {
#if NVLAN > 0
DBPRINT(sc, BNX_VERBOSE_SEND,
"%s(): VLAN tag = 0x%04X\n",
__FUNCTION__,
l2fhdr->l2_fhdr_vlan_tag);
m->m_pkthdr.ether_vtag =
l2fhdr->l2_fhdr_vlan_tag;
m->m_flags |= M_VLANTAG;
#else
m_freem(m);
goto bnx_rx_int_next_rx;
#endif
}
bnx_rx_int_next_rx:
sw_prod = NEXT_RX_BD(sw_prod);
}
sw_cons = NEXT_RX_BD(sw_cons);
/* If we have a packet, pass it up the stack */
if (m) {
sc->rx_cons = sw_cons;
DBPRINT(sc, BNX_VERBOSE_RECV,
"%s(): Passing received frame up.\n", __FUNCTION__);
ml_enqueue(&ml, m);
DBRUNIF(1, sc->rx_mbuf_alloc--);
sw_cons = sc->rx_cons;
}
------------------------------------------------------------------------
Use-after-free with 'm'.
Found by The Brainy Code Scanner.
Maxime
