Hi,
I put here two bugs among others:
------------------------ sys/dev/pci/hifn7751.c ------------------------
2757
if (!(m0->m_flags & M_EXT))
m_freem(m0);
len = MCLBYTES;
totlen -= len;
m0->m_pkthdr.len = m0->m_len = len;
mlast = m0;
------------------------------------------------------------------------
Use-after-free with 'm0'.
------------------------ sys/dev/pci/hifn7751.c ------------------------
2766
MGET(m, M_DONTWAIT, MT_DATA);
if (m == NULL) {
m_freem(m0);
return (NULL);
}
MCLGET(m, M_DONTWAIT);
if (!(m->m_flags & M_EXT)) {
m_freem(m0);
return (NULL);
}
len = MCLBYTES;
------------------------------------------------------------------------
'm' is leaked.
Found by The Brainy Code Scanner.
Maxime
