From: Alan Coopersmith Date: Wed, 15 Apr 2009 17:06:49 +0000 (-0700) Subject: Sun bug 6811468: pci_device_solx_devfs_probe accesses freed memory X-Git-Tag: android-x86-6.0-r1~140 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=be748a7b512bf5597e162694a3b1769132938fe1;p=android-x86%2Fexternal-libpciaccess.git Sun bug 6811468: pci_device_solx_devfs_probe accesses freed memory di_fini() is being called in pci_device_solx_devfs_probe() The di_fini (3DEVINFO) man page says "All handles associated with this snapshot become invalid after the call to di_fini()". But after that, eight lines down, the subroutine was calling di_prop_lookup_ints with a handle args.node which was stored from walking the device tree, and then using the pointers that returned even further down. Signed-off-by: Alan Coopersmith --- diff --git a/src/solx_devfs.c b/src/solx_devfs.c index 7d582ad..b56819c 100644 --- a/src/solx_devfs.c +++ b/src/solx_devfs.c @@ -726,8 +726,8 @@ pci_device_solx_devfs_probe( struct pci_device * dev ) { uint8_t config[256]; int err; - di_node_t rnode; - i_devnode_t args; + di_node_t rnode = DI_NODE_NIL; + i_devnode_t args = { 0, 0, 0, DI_NODE_NIL }; int *regbuf; pci_regspec_t *reg; int i; @@ -736,7 +736,6 @@ pci_device_solx_devfs_probe( struct pci_device * dev ) uint ent = 0; err = pci_device_solx_devfs_read( dev, config, 0, 256, & bytes ); - args.node = DI_NODE_NIL; if ( bytes >= 64 ) { struct pci_device_private *priv = @@ -771,7 +770,6 @@ pci_device_solx_devfs_probe( struct pci_device * dev ) args.func = dev->func; (void) di_walk_node(rnode, DI_WALK_CLDFIRST, (void *)&args, find_target_node); - di_fini(rnode); } } if (args.node != DI_NODE_NIL) { @@ -786,7 +784,7 @@ pci_device_solx_devfs_probe( struct pci_device * dev ) } if (len <= 0) - return (err); + goto cleanup; /* @@ -868,6 +866,10 @@ pci_device_solx_devfs_probe( struct pci_device * dev ) } } + cleanup: + if (rnode != DI_NODE_NIL) { + di_fini(rnode); + } return (err); }