Brainy: two UAFs

[Maxime Villard <max%m00nbsd.net@localhost>]

Hi,
I've been developing a new analysis engine for Brainy for some weeks
now, and I've just updated the UAF catcher to use this new engine.

Even though it still needs some work, it has just found two use-
after-free:
 1. double free in sys/dev/pci/if_et.c
 2. beautiful UAF in sys/arch/pmax/tc/dt.c, the area is freed and
    then inserted into a list for later use

I can't test these patches: could someone review & ok them please?

Thanks,
Maxime

Index: if_et.c
===================================================================
RCS file: /cvsroot/src/sys/dev/pci/if_et.c,v
retrieving revision 1.8
diff -u -r1.8 if_et.c
--- if_et.c	29 Mar 2014 19:28:24 -0000	1.8
+++ if_et.c	26 Jun 2015 20:11:38 -0000
@@ -1823,7 +1823,6 @@

 		MGETHDR(m_new, M_DONTWAIT, MT_DATA);
 		if (m_new == NULL) {
-			m_freem(m);
 			aprint_error_dev(sc->sc_dev, "can't defrag TX mbuf\n");
 			error = ENOBUFS;
 			goto back;
@@ -1833,7 +1832,6 @@
 		if (m->m_pkthdr.len > MHLEN) {
 			MCLGET(m_new, M_DONTWAIT);
 			if (!(m_new->m_flags & M_EXT)) {
-				m_freem(m);
 				m_freem(m_new);
 				error = ENOBUFS;
 			}

Index: tc/dt.c
===================================================================
RCS file: /cvsroot/src/sys/arch/pmax/tc/dt.c,v
retrieving revision 1.11
diff -u -r1.11 dt.c
--- tc/dt.c	4 Jun 2011 01:37:36 -0000	1.11
+++ tc/dt.c	27 Jun 2015 06:06:31 -0000
@@ -225,6 +225,7 @@
 	if (sc->sc_sih == NULL) {
 		printf("%s: memory exhausted\n", device_xname(self));
 		free(msg, M_DEVBUF);
+		return;
 	}

 	SIMPLEQ_INIT(&sc->sc_queue);