Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 May 2016 16:26:35 +0000 (UTC)
From:      Stephen McConnell <slm@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r299269 - head/sys/dev/mpr
Message-ID:  <201605091626.u49GQZHs037116@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: slm
Date: Mon May  9 16:26:34 2016
New Revision: 299269
URL: https://svnweb.freebsd.org/changeset/base/299269

Log:
  Fix possible use of invalid pointer.
  
  It was possible to use an invalid pointer to get the target ID value. To fix
  this, initialize a local Target ID variable to an invalid value and change that
  variable to a valid value only if the pointer to the Target ID is not NULL.
  
  Reviewed by:    ken, scottl, ambrisko, asomers
  Approved by:	ken, scottl, ambrisko
  MFC after:      1 week
  Differential Revision: https://reviews.freebsd.org/D6100

Modified:
  head/sys/dev/mpr/mpr_sas.c

Modified: head/sys/dev/mpr/mpr_sas.c
==============================================================================
--- head/sys/dev/mpr/mpr_sas.c	Mon May  9 16:24:16 2016	(r299268)
+++ head/sys/dev/mpr/mpr_sas.c	Mon May  9 16:26:34 2016	(r299269)
@@ -243,6 +243,8 @@ mprsas_alloc_tm(struct mpr_softc *sc)
 void
 mprsas_free_tm(struct mpr_softc *sc, struct mpr_command *tm)
 {
+	int target_id = 0xFFFFFFFF;
+
 	MPR_FUNCTRACE(sc);
 	if (tm == NULL)
 		return;
@@ -254,10 +256,11 @@ mprsas_free_tm(struct mpr_softc *sc, str
 	 */
 	if (tm->cm_targ != NULL) {
 		tm->cm_targ->flags &= ~MPRSAS_TARGET_INRESET;
+		target_id = tm->cm_targ->tid;
 	}
 	if (tm->cm_ccb) {
 		mpr_dprint(sc, MPR_INFO, "Unfreezing devq for target ID %d\n",
-		    tm->cm_targ->tid);
+		    target_id);
 		xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE);
 		xpt_free_path(tm->cm_ccb->ccb_h.path);
 		xpt_free_ccb(tm->cm_ccb);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605091626.u49GQZHs037116>