aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2021-05-26 14:02:19 +0000
committerMark Johnston <markj@FreeBSD.org>2021-06-02 13:34:07 +0000
commit7a67b893e81e20c2d6f4e30ef6c304838f6cc0df (patch)
tree370463b612378704154c7bd6e93ade0a7ebddc98
parentb22150dadd231a84886b2a078dfbe02f9c6d87cc (diff)
downloadsrc-7a67b893e81e20c2d6f4e30ef6c304838f6cc0df.tar.gz
src-7a67b893e81e20c2d6f4e30ef6c304838f6cc0df.zip
cxgb: Avoid a read-after-free in get_packet() when cxgb_debug is on
PR: 255863 MFC after: 1 week (cherry picked from commit 16f8f89c5c1f324a15a7e0607f03f041a230a572)
Diffstat
-rw-r--r--sys/dev/cxgb/cxgb_sge.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/dev/cxgb/cxgb_sge.c b/sys/dev/cxgb/cxgb_sge.c
index f13d2f03180c..00b67880fcc8 100644
--- a/sys/dev/cxgb/cxgb_sge.c
+++ b/sys/dev/cxgb/cxgb_sge.c
@@ -2773,6 +2773,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
if (mh->mh_tail == NULL) {
log(LOG_ERR, "discarding intermediate descriptor entry\n");
m_freem(m);
+ m = NULL;
break;
}
mh->mh_tail->m_next = m;
@@ -2780,7 +2781,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
mh->mh_head->m_pkthdr.len += len;
break;
}
- if (cxgb_debug)
+ if (cxgb_debug && m != NULL)
printf("len=%d pktlen=%d\n", m->m_len, m->m_pkthdr.len);
done:
if (++fl->cidx == fl->size)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 03:00:46 +0000