diff options
author | Adam Muhle <armuhle@us.ibm.com> | 2012-10-26 17:06:35 -0500 |
---|---|---|
committer | A. Patrick Williams III <iawillia@us.ibm.com> | 2012-11-03 14:43:35 -0500 |
commit | d1ea835e9a3b4b77649f1fd349d6dce434ee506a (patch) | |
tree | 65f25e68bfca34afab93ad8a8da7e3be84a49c2d /src | |
parent | 0fb4ee347957ceb2b58a200551fe6cf2cc212e74 (diff) | |
download | talos-hostboot-d1ea835e9a3b4b77649f1fd349d6dce434ee506a.tar.gz talos-hostboot-d1ea835e9a3b4b77649f1fd349d6dce434ee506a.zip |
Fix use of freed memory in mailbox
MailboxSp::handleNewMessage() had a case where messages are freed
but then data within those messages are used to determine
future actions, which lead to setting pointers to NULL
in memory that it no longer owned. I changed to use a temporary
variable to avoid referencing freed data.
Change-Id: Icda77b43d515960258f29edca3f65db4b0e2d3a7
Reviewed-on: http://gfw160.austin.ibm.com:8080/gerrit/2145
Tested-by: Jenkins Server
Reviewed-by: Douglas R. Gilbert <dgilbert@us.ibm.com>
Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/usr/mbox/mailboxsp.C | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/usr/mbox/mailboxsp.C b/src/usr/mbox/mailboxsp.C index a5b110527..9361e613e 100644 --- a/src/usr/mbox/mailboxsp.C +++ b/src/usr/mbox/mailboxsp.C @@ -319,11 +319,14 @@ void MailboxSp::handleNewMessage(msg_t * i_msg) mbox_msg.msg_queue_id = static_cast<uint32_t>(i_msg->data[0]); msg_t * payload = reinterpret_cast<msg_t*>(i_msg->extra_data); mbox_msg.msg_payload = *payload; //copy in payload + bool i_msg_is_async = msg_is_async(i_msg); - if(msg_is_async(i_msg)) + if(i_msg_is_async) { msg_free(payload); msg_free(i_msg); + payload = NULL; + i_msg = NULL; } if(iv_disabled) @@ -334,7 +337,7 @@ void MailboxSp::handleNewMessage(msg_t * i_msg) mbox_msg.msg_queue_id, mbox_msg.msg_payload.type); - if(!msg_is_async(i_msg)) // synchronous + if(!i_msg_is_async) // synchronous { /*@ errorlog tag * @errortype ERRL_SEV_INFORMATIONAL @@ -374,7 +377,7 @@ void MailboxSp::handleNewMessage(msg_t * i_msg) else { - if(!msg_is_async(i_msg)) //synchronous + if(!i_msg_is_async) //synchronous { i_msg->data[1] = 0; // used later for return value @@ -391,6 +394,7 @@ void MailboxSp::handleNewMessage(msg_t * i_msg) send_msg(&mbox_msg); } + } // Note: When called due to an ACK or retry, iv_rts should be true. |