Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#720 closed bug (fixed)

free(device) before access to device->devId

Reported by: fernandotcl@… Owned by: marcusoverhagen
Priority: low Milestone: R1
Component: System/Kernel Version:
Keywords: Cc: diver
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

In lines 645 (rtl8169_open()) and 691 (rtl8169_free()) in device.c from SVN revision 13218, the rtl8169_device pointer is freed before one of its members (devId) is accessed by the code that sets the device id as free.

The code in question reads:

free(device); atomic_and(&gOpenMask, ~(1 << device->devId));

And it should be instead set to:

atomic_and(&gOpenMask, ~(1 << device->devId)); free(device);

Change History (4)

comment:1 by diver, 13 years ago

Cc: diver added

comment:2 by jackburton, 13 years ago

Resolution: fixed

comment:3 by jackburton, 13 years ago

Status: newclosed

comment:4 by jackburton, 13 years ago

Fixed by zooey in hrev18393, I hope no one minds if I close this bug.

Note: See TracTickets for help on using tickets.