diff options
| author | Philip Paeps <philip@FreeBSD.org> | 2022-07-08 03:49:54 +0000 |
|---|---|---|
| committer | Philip Paeps <philip@FreeBSD.org> | 2022-07-08 03:49:54 +0000 |
| commit | c4995b69db93fdab5fe375eae129aeff1cbca1bb (patch) | |
| tree | 5b110c11d0fd8607e3eed707fddebe6ccbcc2049 /sys/dev | |
| parent | a0b956f5ac5e0941f9e74e24c1c53e05ad061a38 (diff) | |
| download | src-c4995b69db93fdab5fe375eae129aeff1cbca1bb.tar.gz src-c4995b69db93fdab5fe375eae129aeff1cbca1bb.zip | |
ipmi: fix a use-after-free bug in error handling
18db96dbfd4a09063a0abcefd51fa8d2aeb115d6 introduced a use-after-free bug
in the error handling of the IPMICTL_RECEIVE_MSG ioctl.
Reported by: Coverity (CID 1490456) (via vangyzen)
Differential Revision: https://reviews.freebsd.org/D35605
Diffstat (limited to 'sys/dev')
| -rw-r--r-- | sys/dev/ipmi/ipmi.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/dev/ipmi/ipmi.c b/sys/dev/ipmi/ipmi.c index 7afafa492b6f..fd264dfc4c27 100644 --- a/sys/dev/ipmi/ipmi.c +++ b/sys/dev/ipmi/ipmi.c @@ -388,12 +388,13 @@ ipmi_ioctl(struct cdev *cdev, u_long cmd, caddr_t data, return (EAGAIN); } if (kreq->ir_error != 0) { + error = kreq->ir_error; TAILQ_REMOVE(&dev->ipmi_completed_requests, kreq, ir_link); dev->ipmi_requests--; IPMI_UNLOCK(sc); ipmi_free_request(kreq); - return (kreq->ir_error); + return (error); } recv->recv_type = IPMI_RESPONSE_RECV_TYPE; |