CVSROOT: /cvs
Module name: src
Changes by: s...@cvs.openbsd.org 2020/04/02 11:36:32
Modified files:
sys/dev/usb : if_zyd.c
Log message:
Fix use-after-free zyd(4) upon Tx error and device detach.
If a transmit error occurs in zyd_tx() we must reset tx data's ni pointer
to NULL since the node reference will be released in zyd_start().
A stale node pointer could potentially be released again which would mess
up the node's reference count and potentially result in a use-after-free.
Upon detach, ic->ic_bss was freed in ieee80211_ifdetach(), and afterwards
ic->ic_bss->ni_refcnt was decremented in zyd_free_tx_list(). Change the
order of operations during detach to prevent this use-after-free.
Reported on bugs@ by Raf Czlonka
ok mpi@
