The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=16f8f89c5c1f324a15a7e0607f03f041a230a572
commit 16f8f89c5c1f324a15a7e0607f03f041a230a572 Author: Mark Johnston <ma...@freebsd.org> AuthorDate: 2021-05-26 14:02:19 +0000 Commit: Mark Johnston <ma...@freebsd.org> CommitDate: 2021-05-26 14:45:40 +0000 cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on PR: 224927 MFC after: 1 week --- sys/dev/cxgb/cxgb_sge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/cxgb/cxgb_sge.c b/sys/dev/cxgb/cxgb_sge.c index f13d2f03180c..00b67880fcc8 100644 --- a/sys/dev/cxgb/cxgb_sge.c +++ b/sys/dev/cxgb/cxgb_sge.c @@ -2773,6 +2773,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs, if (mh->mh_tail == NULL) { log(LOG_ERR, "discarding intermediate descriptor entry\n"); m_freem(m); + m = NULL; break; } mh->mh_tail->m_next = m; @@ -2780,7 +2781,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs, mh->mh_head->m_pkthdr.len += len; break; } - if (cxgb_debug) + if (cxgb_debug && m != NULL) printf("len=%d pktlen=%d\n", m->m_len, m->m_pkthdr.len); done: if (++fl->cidx == fl->size) _______________________________________________ dev-commits-src-main@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"