Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/microcode/aic7xxx This thing is completely buggy. Th...
details: https://anonhg.NetBSD.org/src/rev/dd9d99a2c606
branches: trunk
changeset: 347124:dd9d99a2c606
user: maxv <maxv%NetBSD.org@localhost>
date: Mon Aug 15 08:52:33 2016 +0000
description:
This thing is completely buggy. There is a use-after-free and NULL pointer
dereference. Just fix the uaf, and add a comment. Not tested, but obvious
enough; found by brainy.
diffstat:
sys/dev/microcode/aic7xxx/aicasm.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diffs (38 lines):
diff -r 376bd0c35c4b -r dd9d99a2c606 sys/dev/microcode/aic7xxx/aicasm.c
--- a/sys/dev/microcode/aic7xxx/aicasm.c Mon Aug 15 08:43:19 2016 +0000
+++ b/sys/dev/microcode/aic7xxx/aicasm.c Mon Aug 15 08:52:33 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $ */
+/* $NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $ */
/*
* Aic7xxx SCSI host adapter firmware asssembler
@@ -43,7 +43,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: aicasm.c,v 1.8 2009/12/27 16:03:49 jakllsch Exp $");
+__RCSID("$NetBSD: aicasm.c,v 1.9 2016/08/15 08:52:33 maxv Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -595,6 +595,7 @@
putchar(input);
}
free(func_values);
+ func_values = NULL;
fprintf(stdout, "\nThanks!\n");
}
@@ -604,6 +605,11 @@
cur_instr != NULL;
cur_instr = STAILQ_NEXT(cur_instr, links), instrcount++) {
+ /*
+ * XXX XXX XXX: What exactly are we trying to do here?
+ * 'func_values' is always NULL, so check_patch will
+ * necessarily crash.
+ */
if (check_patch(&cur_patch, instrcount,
&skip_addr, func_values) == 0) {
/* Don't count this instruction as it is in a patch
Home |
Main Index |
Thread Index |
Old Index