d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ocs_fc: Fix use after free bug in ocs_hw_async_call()

Browse Source 
Freed ctx is used in the later callee ocs_hw_command(),
which is a use after free bug.

Return error if sli_cmd_common_nop() failed.

PR: 255865
Reported by: lylgood@foxmail.com
Approved by:: markj
This commit is contained in:
Ram Kishore Vegesna 2021-05-28 11:21:10 +05:30
parent dd722ccd6e
commit 7377d3831b
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/dev/ocs_fc/ocs_hw.c
View File

@ -11778,7 +11778,6 @@ ocs_hw_async_cb(ocs_hw_t *hw, int32_t status, uint8_t *mqe, void *arg)
int32_t
ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
{
int32_t rc = 0;
ocs_hw_async_call_ctx_t *ctx;
/*
@ -11798,15 +11797,15 @@ ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
if (sli_cmd_common_nop(&hw->sli, ctx->cmd, sizeof(ctx->cmd), 0) == 0) {
ocs_log_err(hw->os, "COMMON_NOP format failure\n");
ocs_free(hw->os, ctx, sizeof(*ctx));
rc = -1;
return OCS_HW_RTN_ERROR;
}
if (ocs_hw_command(hw, ctx->cmd, OCS_CMD_NOWAIT, ocs_hw_async_cb, ctx)) {
ocs_log_err(hw->os, "COMMON_NOP command failure\n");
ocs_free(hw->os, ctx, sizeof(*ctx));
rc = -1;
return OCS_HW_RTN_ERROR;
}
return rc;
return OCS_HW_RTN_SUCCESS;
}
/**