hey maxime,
this should be fixed in src/sys/dev/pci/if_bnx.c r1.112.
thanks for the report :)
dlg
> On 21 Jul 2015, at 18:31, Maxime Villard <m...@m00nbsd.net> wrote:
>
> Hi,
> I put here a bug among others:
>
> -------------------------- sys/dev/pci/if_bnx.c ------------------------
>
> if ((status & L2_FHDR_STATUS_L2_VLAN_TAG) &&
> !(sc->rx_mode & BNX_EMAC_RX_MODE_KEEP_VLAN_TAG)) {
> #if NVLAN > 0
> DBPRINT(sc, BNX_VERBOSE_SEND,
> "%s(): VLAN tag = 0x%04X\n",
> __FUNCTION__,
> l2fhdr->l2_fhdr_vlan_tag);
>
> m->m_pkthdr.ether_vtag =
> l2fhdr->l2_fhdr_vlan_tag;
> m->m_flags |= M_VLANTAG;
> #else
> m_freem(m);
> goto bnx_rx_int_next_rx;
> #endif
> }
>
> bnx_rx_int_next_rx:
> sw_prod = NEXT_RX_BD(sw_prod);
> }
>
> sw_cons = NEXT_RX_BD(sw_cons);
>
> /* If we have a packet, pass it up the stack */
> if (m) {
> sc->rx_cons = sw_cons;
>
> DBPRINT(sc, BNX_VERBOSE_RECV,
> "%s(): Passing received frame up.\n", __FUNCTION__);
> ml_enqueue(&ml, m);
> DBRUNIF(1, sc->rx_mbuf_alloc--);
>
> sw_cons = sc->rx_cons;
> }
>
> ------------------------------------------------------------------------
>
> Use-after-free with 'm'.
>
> Found by The Brainy Code Scanner.
>
> Maxime
>
