paste02-talk

Start freed freeitx ify freeitx ify

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: freeit(x); if(y) freeit(x); if(y) } … { v:z.freed } { v:z.start->freed } foo(int *x) { freeit(y); *y { v:z.freed } { v:z.freed } kfree(z); } bar(int *y) { foo(int *x) { … bar(int *y) { { v:z.freed } { v:z.freed } { v:z.freed } freeit(y); *y … { v:z.freed } } { v:z.freed } *x *x ERROR: use after free! } } … { v:z.freed } … } … { v:z.start->freed } } ERROR: use after free! } 5 4 ) * ? )9& freeit(int *z) { kfree(z); & 7 89 (: ; ; <-9 : ; =+ ; ''- { v:z.start->freed } , % } foo(int *x) { freeit(x); if(y) … '. ' bar(int *y) { { v:z.freed } { v:y.freed } freeit(y); *y } { v:z.freed } … { v:z.freed } ! , "/ ! (0 0 *+ '0 ) ) 8 > <: = ; / { v:z.freed } ) *x '1 ERROR: use after free! ( " , +( 8 9 <: = ; ! / / } 1# " 3+ @ +9 ) +A 7 . B ) ) / 8 '3 ," " / ) ,< < ,( ' " =" ,) ' "=",) ' "=",) ,( ',) :,; ' < ,) + % . '1 '4 ' ! #25 / 78 9 ! #2 " 26 B * ) /* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd; ... while (( skb = skb_dequeue(&card->rcvq))) { msg = skb->data; ... memcpy(cmd.parm.setup.phone,msg->msg.connect_ind.addr.num , msg->msg.connect_ind.addr.len - 1); ) 2 3 #2 ) * & + /* 2.4.9-ac7/fs/intermezzo/psdev.c */ error = copy_from_user(&input , (char *)arg, sizeof(input)); input.path = kmalloc(input .path_len + 1, GFP_KERNEL); if ( !input.path ) return -ENOMEM; error =copy_from_user( input.path ,user_path, input.path_len); "6 5. > D C - * 7 ) - '> 4 7 ? 1 9 D E , 4 1 7 0 , 0 #@ # 5 6A #B #C #6 #B 5 2@ # #25 5 2 #$C #F #2 26 GA5$$ 78 9 7 0 AA 22 BB $$ $$ #2 #2 #2 $ $ 6 5C 6 ) '9 'D '...
View Full Document

This note was uploaded on 12/28/2013 for the course CS 190 taught by Professor Engler during the Winter '12 term at Stanford.

Ask a homework question - tutors are online