d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge if_ef.c:1.37 from HEAD to RELENG_6:

Browse Source 
When freeing the chain of if_ef devices on an aborted load, use
  SLIST_FOREACH_SAFE() rather than SLIST_FOREACH(), as elements are
  freed on each iteration of the loop.  This prevents use-after-free.

  Noticed by:     Coverity Prevent analysis tool

Approved by:	re (scottl)
This commit is contained in:
rwatson 2006-02-14 21:09:46 +00:00
parent e6419f405e
commit bcc6ac0035
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/net/if_ef.c
View File

@ -495,7 +495,7 @@ ef_load(void)
{
struct ifnet *ifp;
struct efnet *efp;
struct ef_link *efl = NULL;
struct ef_link *efl = NULL, *efl_temp;
int error = 0, d;
IFNET_RLOCK();
@ -533,7 +533,7 @@ ef_load(void)
if (error) {
if (efl)
SLIST_INSERT_HEAD(&efdev, efl, el_next);
SLIST_FOREACH(efl, &efdev, el_next) {
SLIST_FOREACH_SAFE(efl, &efdev, el_next, efl_temp) {
for (d = 0; d < EF_NFT; d++)
if (efl->el_units[d]) {
if (efl->el_units[d]->ef_pifp != NULL)