ipmi: fix a use-after-free bug in error handling

18db96dbfd introduced a use-after-free bug in the error handling of the IPMICTL_RECEIVE_MSG ioctl. Reported by: Coverity (CID 1490456) (via vangyzen) Differential Revision: https://reviews.freebsd.org/D35605
2022-07-08 11:49:54 +08:00 · 2022-07-08 11:49:54 +08:00 · c4995b69db
commit c4995b69db
parent a0b956f5ac
1 changed files with 2 additions and 1 deletions
--- a/sys/dev/ipmi/ipmi.c
+++ b/sys/dev/ipmi/ipmi.c
@ -388,12 +388,13 @@ ipmi_ioctl(struct cdev *cdev, u_long cmd, caddr_t data,
 			return (EAGAIN);
 		}
 		if (kreq->ir_error != 0) {
+			error = kreq->ir_error;
 			TAILQ_REMOVE(&dev->ipmi_completed_requests, kreq,
 			    ir_link);
 			dev->ipmi_requests--;
 			IPMI_UNLOCK(sc);
 			ipmi_free_request(kreq);
-			return (kreq->ir_error);
+			return (error);
 		}

 		recv->recv_type = IPMI_RESPONSE_RECV_TYPE;