From ea5253bc2b5ad50d4d5b4d295cd13280e8b63444 Mon Sep 17 00:00:00 2001 From: rwatson Date: Tue, 3 Apr 2007 12:45:10 +0000 Subject: Fix use after free bug: use temporary variable to hold next entry in linked list while freeing current entry, rather than using the free'd entry's next pointer. Found with: Coverity Prevent(tm) CID: 1333 --- sys/netatm/atm_if.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sys/netatm') diff --git a/sys/netatm/atm_if.c b/sys/netatm/atm_if.c index cdf4960..665e7c0 100644 --- a/sys/netatm/atm_if.c +++ b/sys/netatm/atm_if.c @@ -169,7 +169,7 @@ atm_physif_deregister(cup) Cmn_unit *cup; { struct atm_pif *pip = (struct atm_pif *)&cup->cu_pif; - Cmn_vcc *cvp; + Cmn_vcc *cvp, *cvp_next; int err; int s = splnet(); @@ -215,8 +215,9 @@ atm_physif_deregister(cup) */ cvp = cup->cu_vcc; while (cvp) { + cvp_next = cvp->cv_next; uma_zfree(cup->cu_vcc_zone, cvp); - cvp = cvp->cv_next; + cvp = cvp_next; } cup->cu_vcc = (Cmn_vcc *)NULL; -- cgit v1.1