diff options
| author | Angel Pons <th3fanbus@gmail.com> | 2021-05-25 13:03:24 +0200 |
|---|---|---|
| committer | Edward O'Callaghan <quasisec@chromium.org> | 2021-05-28 12:50:36 +0000 |
| commit | be5af628bdc4df2fc85a2a753ff54616b7a8405c (patch) | |
| tree | d1d790f4034d195f3ca208e68d309be6db41e754 | |
| parent | 2ef2efa0fa6a920fe3dd8f067a6632798b214bcd (diff) | |
| download | flashrom-be5af628bdc4df2fc85a2a753ff54616b7a8405c.tar.gz flashrom-be5af628bdc4df2fc85a2a753ff54616b7a8405c.tar.bz2 flashrom-be5af628bdc4df2fc85a2a753ff54616b7a8405c.zip | |
dummyflasher.c: Prevent use-after-free bug
The memory for the `status` string is aliased by the `endptr` pointer.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.
Change-Id: I1b56834004fe18918213a7df0a09a8a7ecb56985
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/54909
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Anastasia Klimchuk <aklm@chromium.org>
| -rw-r--r-- | dummyflasher.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/dummyflasher.c b/dummyflasher.c index 5defec01..560dbdc0 100644 --- a/dummyflasher.c +++ b/dummyflasher.c @@ -962,12 +962,13 @@ int dummy_init(void) if (status) { errno = 0; data->emu_status = strtoul(status, &endptr, 0); - free(status); if (errno != 0 || status == endptr) { + free(status); msg_perr("Error: initial status register specified, " "but the value could not be converted.\n"); return 1; } + free(status); msg_pdbg("Initial status register is set to 0x%02x.\n", data->emu_status); } |