Author: seanc (ports committer) Date: Fri Jul 12 18:17:35 2019 New Revision: 349945 URL: https://svnweb.freebsd.org/changeset/base/349945
Log: usr.sbin/bhyve: prevent use-after-free in virtio scsi request handling Coverity CID: 1393377 Approved by: araujo, jhb Differential Revision: https://reviews.freebsd.org/D20915 Modified: head/usr.sbin/bhyve/pci_virtio_scsi.c Modified: head/usr.sbin/bhyve/pci_virtio_scsi.c ============================================================================== --- head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:13:58 2019 (r349944) +++ head/usr.sbin/bhyve/pci_virtio_scsi.c Fri Jul 12 18:17:35 2019 (r349945) @@ -465,7 +465,7 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, int data_niov_in, data_niov_out; void *ext_data_ptr = NULL; uint32_t ext_data_len = 0, ext_sg_entries = 0; - int err; + int err, nxferred; seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in, VTSCSI_IN_HEADER_LEN(sc)); @@ -544,10 +544,11 @@ pci_vtscsi_request_handle(struct pci_vtscsi_queue *q, } buf_to_iov(cmd_wr, VTSCSI_OUT_HEADER_LEN(sc), iov_out, niov_out, 0); + nxferred = VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled; free(cmd_rd); free(cmd_wr); ctl_scsi_free_io(io); - return (VTSCSI_OUT_HEADER_LEN(sc) + io->scsiio.ext_data_filled); + return (nxferred); } static void _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
