[src/trunk]: src/sys/net If cnt == 0, don't kmem_alloc(0). Found by Mootja.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/net If cnt == 0, don't kmem_alloc(0). Found by Mootja.
From: maxv <maxv%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 09:15:31 +0000

details:   https://anonhg.NetBSD.org/src/rev/eef98388c778
branches:  trunk
changeset: 829008:eef98388c778
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Jan 14 16:50:37 2018 +0000

description:
If cnt == 0, don't kmem_alloc(0). Found by Mootja.

Looking at the code, I also find it suspicious that we read
ifv->ifv_mib->ifvm_p directly without making sure ifv_mib != NULL.

diffstat:

 sys/net/if_vlan.c |  15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

diffs (58 lines):

diff -r 60fbd16c0425 -r eef98388c778 sys/net/if_vlan.c
--- a/sys/net/if_vlan.c Sun Jan 14 16:43:03 2018 +0000
+++ b/sys/net/if_vlan.c Sun Jan 14 16:50:37 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_vlan.c,v 1.121 2017/12/19 03:32:35 ozaki-r Exp $    */
+/*     $NetBSD: if_vlan.c,v 1.122 2018/01/14 16:50:37 maxv Exp $       */
 
 /*-
  * Copyright (c) 2000, 2001 The NetBSD Foundation, Inc.
@@ -78,7 +78,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_vlan.c,v 1.121 2017/12/19 03:32:35 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_vlan.c,v 1.122 2018/01/14 16:50:37 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -804,6 +804,7 @@
        int i, cnt = 0;
 
        bound = curlwp_bind();
+
        mutex_enter(&ifv_list.lock);
        LIST_FOREACH(ifv, &ifv_list.list, ifv_list) {
                mib = vlan_getref_linkmib(ifv, &psref);
@@ -817,13 +818,18 @@
        }
        mutex_exit(&ifv_list.lock);
 
+       if (cnt == 0) {
+               curlwp_bindx(bound);
+               return;
+       }
+
        /*
         * The value of "cnt" does not increase while ifv_list.lock
         * and ifv->ifv_lock are released here, because the parent
         * interface is detaching.
         */
        nmibs = kmem_alloc(sizeof(*nmibs) * cnt, KM_SLEEP);
-       for (i=0; i < cnt; i++) {
+       for (i = 0; i < cnt; i++) {
                nmibs[i] = kmem_alloc(sizeof(*nmibs[i]), KM_SLEEP);
        }
 
@@ -851,9 +857,10 @@
        }
 
        mutex_exit(&ifv_list.lock);
+
        curlwp_bindx(bound);
 
-       for (i=0; i < cnt; i++) {
+       for (i = 0; i < cnt; i++) {
                if (nmibs[i])
                        kmem_free(nmibs[i], sizeof(*nmibs[i]));
        }

Prev by Date: [src/trunk]: src/sys/netipsec Fix use-after-free. There is a path where the m...
Next by Date: [src/trunk]: src/sys/sys KDASSERT -> KASSERT. This code is fast and useful.
Previous by Thread: [src/trunk]: src/sys/netipsec Fix use-after-free. There is a path where the m...
Next by Thread: [src/trunk]: src/sys/sys KDASSERT -> KASSERT. This code is fast and useful.
Indexes:

Home | Main Index | Thread Index | Old Index