From 88619392216a5446c44e6633629936f4ff1895fa Mon Sep 17 00:00:00 2001 From: Stephen McConnell Date: Mon, 9 May 2016 16:26:34 +0000 Subject: [PATCH] Fix possible use of invalid pointer. It was possible to use an invalid pointer to get the target ID value. To fix this, initialize a local Target ID variable to an invalid value and change that variable to a valid value only if the pointer to the Target ID is not NULL. Reviewed by: ken, scottl, ambrisko, asomers Approved by: ken, scottl, ambrisko MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D6100 --- sys/dev/mpr/mpr_sas.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/dev/mpr/mpr_sas.c b/sys/dev/mpr/mpr_sas.c index b51f7f3a009..6d16b0f893a 100644 --- a/sys/dev/mpr/mpr_sas.c +++ b/sys/dev/mpr/mpr_sas.c @@ -243,6 +243,8 @@ mprsas_alloc_tm(struct mpr_softc *sc) void mprsas_free_tm(struct mpr_softc *sc, struct mpr_command *tm) { + int target_id = 0xFFFFFFFF; + MPR_FUNCTRACE(sc); if (tm == NULL) return; @@ -254,10 +256,11 @@ mprsas_free_tm(struct mpr_softc *sc, struct mpr_command *tm) */ if (tm->cm_targ != NULL) { tm->cm_targ->flags &= ~MPRSAS_TARGET_INRESET; + target_id = tm->cm_targ->tid; } if (tm->cm_ccb) { mpr_dprint(sc, MPR_INFO, "Unfreezing devq for target ID %d\n", - tm->cm_targ->tid); + target_id); xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE); xpt_free_path(tm->cm_ccb->ccb_h.path); xpt_free_ccb(tm->cm_ccb);