| From: | YONETANI Tomokazu <qhwt+dragonfly-submit@xxxxxxxxxx> |
| Date: | Sun, 22 Feb 2004 21:59:27 +0900 |
On Thu, Feb 19, 2004 at 05:43:53PM -0800, Ted Unangst wrote:
> Hi. These are some bugs found by Coverity in a static analysis run on the
> FreeBSD kernel. All these are use after free bugs.
[snip]
> [UNINSPECTED]
> X [BUG]
> X [FALSE]
> X [UNKNOWN]
> X [BROKE]
> X [SKIP]
> /home/tedu/sys/dev/ips/ips_commands.c|517|ips_ffdc_reset|ERROR|FREE|514|517| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
>
> status = malloc(sizeof(ips_cmd_status_t), M_DEVBUF, M_NOWAIT|M_ZERO);
> if(!status)
> return ENOMEM;
> if(ips_get_free_cmd(sc, ips_send_ffdc_reset_cmd, status,
> IPS_NOWAIT_FLAG)){
> Start --->
> free(status, M_DEVBUF);
> device_printf(sc->dev, "ERROR: unable to get a command! can't send ffdc reset!\n");
> }
> Error --->
> if(COMMAND_ERROR(status)){
> device_printf(sc->dev, "ERROR: ffdc reset command failed!\n");
> }
> free(status, M_DEVBUF);
> return 0;
> }
> ---------------------------------------------------------
Attached patch should fix this, as well as other places similar to
this. Tested that both gcc2 and gcc3 compiled the patched code.
Regards.
Attachment:
ips.diff.gz
Description: application/gunzip