diff options
author | Ahmad Fatoum <a.fatoum@pengutronix.de> | 2020-11-12 18:25:24 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2020-11-13 08:52:59 +0100 |
commit | c2fa7340a961d10f9552babad4785cf0deb75e2c (patch) | |
tree | 21382b0a661ea6023af47053875c816e3efd3928 | |
parent | 12701e63a05a7c355d52a133c966c7e2b11a5a23 (diff) | |
download | barebox-c2fa7340a961d10f9552babad4785cf0deb75e2c.tar.gz barebox-c2fa7340a961d10f9552babad4785cf0deb75e2c.tar.xz |
nv: fix use-after-free when clearing from shell
When we use hush to set the same nv.var twice to the empty string:
$ nv.user=
$ nv.user=
nv_set is called twice with a NULL val argument leading
to a double free and accompanied memory corruption.
Reorder the code, so p->value is freed just once.
Fixes: fa4c41ba60af ("nvvar: when setting a nvvar to NULL just free the content")
Cc: Holger Assmann <has@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | common/globalvar.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/common/globalvar.c b/common/globalvar.c index 60793d7a30..a55b38b00f 100644 --- a/common/globalvar.c +++ b/common/globalvar.c @@ -179,16 +179,12 @@ static int nv_set(struct device_d *dev, struct param_d *p, const char *name, con { int ret; - if (!val) { - if (p) - free(p->value); - return 0; + if (val) { + ret = dev_set_param(&global_device, name, val); + if (ret) + return ret; } - ret = dev_set_param(&global_device, name, val); - if (ret) - return ret; - if (p) { free(p->value); p->value = xstrdup(val); |