From owner-freebsd-hackers@FreeBSD.ORG  Fri Aug 20 18:15:32 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4578216A4CE
	for <hackers@freebsd.org>; Fri, 20 Aug 2004 18:15:32 +0000 (GMT)
Received: from coverity.dreamhost.com (coverity.dreamhost.com [66.33.192.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31EF343D1F
	for <hackers@freebsd.org>; Fri, 20 Aug 2004 18:15:32 +0000 (GMT)
	(envelope-from tedu@coverity.com)
Received: from coverity.com (dsl093-171-098.sfo4.dsl.speakeasy.net
	[66.93.171.98])
	by coverity.dreamhost.com (Postfix) with ESMTP id DF47A90887
	for <hackers@freebsd.org>; Fri, 20 Aug 2004 11:15:31 -0700 (PDT)
Message-ID: <41263E77.5040500@coverity.com>
Date: Fri, 20 Aug 2004 11:09:59 -0700
From: Ted Unangst <tedu@coverity.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: hackers@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sat, 21 Aug 2004 02:56:03 +0000
Subject: use after free bugs
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2004 18:15:32 -0000

these are results from running Coverity's analysis over Freebsd 4.10 kernel.
two improper loops:
if_ef.c:566 and atapi-all.c

ng_socket.c:  possible double free of resp 815 and 870, depending on 
caller context.  is this possible?

if_bfe.c: double call to bfe_release_resources will free lots of stuff 
twice on failure.

aha_isa.c: aha_isa_attach:  aha_free free "aha", can't use it 
afterwards, lots of examples.