From ce017db11c3b3cc59cb586aa546090fcbe9e40bc Mon Sep 17 00:00:00 2001 From: Andriy Voskoboinyk Date: Fri, 17 Feb 2017 23:20:22 +0000 Subject: [PATCH] iwi, ral, zyd: fix possible use-after-free. MFC after: 5 days --- sys/dev/iwi/if_iwi.c | 2 +- sys/dev/ral/rt2661.c | 2 +- sys/dev/usb/wlan/if_zyd.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/dev/iwi/if_iwi.c b/sys/dev/iwi/if_iwi.c index f1116f61e0f4..8e049e36ec0f 100644 --- a/sys/dev/iwi/if_iwi.c +++ b/sys/dev/iwi/if_iwi.c @@ -1979,9 +1979,9 @@ iwi_start(struct iwi_softc *sc) } ni = (struct ieee80211_node *) m->m_pkthdr.rcvif; if (iwi_tx_start(sc, m, ni, ac) != 0) { - ieee80211_free_node(ni); if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1); + ieee80211_free_node(ni); break; } sc->sc_tx_timer = 5; diff --git a/sys/dev/ral/rt2661.c b/sys/dev/ral/rt2661.c index d4872cd50446..3e4d7fdde42a 100644 --- a/sys/dev/ral/rt2661.c +++ b/sys/dev/ral/rt2661.c @@ -1616,9 +1616,9 @@ rt2661_start(struct rt2661_softc *sc) } ni = (struct ieee80211_node *) m->m_pkthdr.rcvif; if (rt2661_tx_data(sc, m, ni, ac) != 0) { - ieee80211_free_node(ni); if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1); + ieee80211_free_node(ni); break; } sc->sc_tx_timer = 5; diff --git a/sys/dev/usb/wlan/if_zyd.c b/sys/dev/usb/wlan/if_zyd.c index b04cc3cfc4d9..f4ae7e7c6b74 100644 --- a/sys/dev/usb/wlan/if_zyd.c +++ b/sys/dev/usb/wlan/if_zyd.c @@ -2582,10 +2582,10 @@ zyd_start(struct zyd_softc *sc) while (sc->tx_nfree > 0 && (m = mbufq_dequeue(&sc->sc_snd)) != NULL) { ni = (struct ieee80211_node *)m->m_pkthdr.rcvif; if (zyd_tx_start(sc, m, ni) != 0) { - ieee80211_free_node(ni); m_freem(m); if_inc_counter(ni->ni_vap->iv_ifp, IFCOUNTER_OERRORS, 1); + ieee80211_free_node(ni); break; } }