upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix a NULL pointer dereference in mly_user_command().

Browse source 
If mly_user_command fails to allocate a command slot it jumps to an 'out'
label used for error handling.  The error handling code checks for a data
buffer in 'mc->mc_data' to free before checking if 'mc' is NULL.  Fix by
just returning directly if we fail to allocate a command and only using
the 'out' label for subsequent errors when there is actual cleanup to
perform.

PR:		217747
Reported by:	PVS-Studio
Reviewed by:	emaste
MFC after:	1 week
This commit is contained in:
John Baldwin 2017-08-08 17:49:57 +00:00
parent c45796d54e
commit d081dfc7cd
1 changed files with 4 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
sys/dev/mly/mly.c
View file

@ -2892,8 +2892,7 @@ mly_user_command(struct mly_softc *sc, struct mly_user_command *uc)
MLY_LOCK(sc);
if (mly_alloc_command(sc, &mc)) {
MLY_UNLOCK(sc);
error = ENOMEM;
goto out; /* XXX Linux version will wait for a command */
return (ENOMEM); /* XXX Linux version will wait for a command */
}
MLY_UNLOCK(sc);
@ -2952,11 +2951,9 @@ mly_user_command(struct mly_softc *sc, struct mly_user_command *uc)
out:
if (mc->mc_data != NULL)
free(mc->mc_data, M_DEVBUF);
if (mc != NULL) {
MLY_LOCK(sc);
mly_release_command(mc);
MLY_UNLOCK(sc);
}
MLY_LOCK(sc);
mly_release_command(mc);
MLY_UNLOCK(sc);
return(error);
}