Created attachment 197278 [details] Patch_for_FFEC_NULL-POINTER-DEFERENCE There is a potential null pointer deference in function ffec_alloc_mbufcl (sys/dev/ffec/if_ffec.c). 798 static struct mbuf * 799 ffec_alloc_mbufcl(struct ffec_softc *sc) 800 { 801 struct mbuf *m; 802 803 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 804 m->m_pkthdr.len = m->m_len = m->m_ext.ext_size; 805 806 return (m); 807 } m_getcl(how, type, flags) Fetch an mbuf with a mbuf cluster attached to it. If one of the allocations fails, the entire allocation fails. This routine is the preferred way of fetching both the mbuf and mbuf cluster together, as it avoids having to unlock/relock between allocations. Returns NULL on failure. if line 803 return NULL on failure, then there is a null pointer deference vulnerability. The attachment is the proposal patch.
A commit references this bug: Author: ae Date: Fri Sep 21 13:44:05 UTC 2018 New revision: 338857 URL: https://svnweb.freebsd.org/changeset/base/338857 Log: Fix possible NULL pointer dereference in ffec_alloc_mbufcl(). PR: 231514 Approved by: re (kib) MFC after: 1 week Changes: head/sys/dev/ffec/if_ffec.c
A commit references this bug: Author: ae Date: Fri Sep 28 10:02:47 UTC 2018 New revision: 338992 URL: https://svnweb.freebsd.org/changeset/base/338992 Log: MFC r338857: Fix possible NULL pointer dereference in ffec_alloc_mbufcl(). PR: 231514 Changes: _U stable/11/ stable/11/sys/dev/ffec/if_ffec.c
Fixed in head/ and stable/11. Thanks!