From ae7c484e8247803a6fb002378b42c4dc8b3c2371 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Fri, 13 Jan 2006 23:20:46 +0000
Subject: [PATCH] When freeing the chain of if_ef devices on an aborted load,
 use SLIST_FOREACH_SAFE() rather than SLIST_FOREACH(), as elements are freed
 on each iteration of the loop.  This prevents use-after-free.

Noticed by:	Coverity Prevent analysis tool
MFC after:	3 days
---
 sys/net/if_ef.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_ef.c b/sys/net/if_ef.c
index 849c8db719e7..2c2828cba73b 100644
--- a/sys/net/if_ef.c
+++ b/sys/net/if_ef.c
@@ -491,7 +491,7 @@ ef_load(void)
 {
 	struct ifnet *ifp;
 	struct efnet *efp;
-	struct ef_link *efl = NULL;
+	struct ef_link *efl = NULL, *efl_temp;
 	int error = 0, d;
 
 	IFNET_RLOCK();
@@ -529,7 +529,7 @@ ef_load(void)
 	if (error) {
 		if (efl)
 			SLIST_INSERT_HEAD(&efdev, efl, el_next);
-		SLIST_FOREACH(efl, &efdev, el_next) {
+		SLIST_FOREACH_SAFE(efl, &efdev, el_next, efl_temp) {
 			for (d = 0; d < EF_NFT; d++)
 				if (efl->el_units[d]) {
 					if (efl->el_units[d]->ef_pifp != NULL)