From c2fa7340a961d10f9552babad4785cf0deb75e2c Mon Sep 17 00:00:00 2001
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
Date: Thu, 12 Nov 2020 18:25:24 +0100
Subject: nv: fix use-after-free when clearing from shell

When we use hush to set the same nv.var twice to the empty string:

  $ nv.user=
  $ nv.user=

nv_set is called twice with a NULL val argument leading
to a double free and accompanied memory corruption.

Reorder the code, so p->value is freed just once.

Fixes: fa4c41ba60af ("nvvar: when setting a nvvar to NULL just free the content")
Cc: Holger Assmann <has@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/globalvar.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/common/globalvar.c b/common/globalvar.c
index 60793d7a30..a55b38b00f 100644
--- a/common/globalvar.c
+++ b/common/globalvar.c
@@ -179,16 +179,12 @@ static int nv_set(struct device_d *dev, struct param_d *p, const char *name, con
 {
 	int ret;
 
-	if (!val) {
-		if (p)
-			free(p->value);
-		return 0;
+	if (val) {
+		ret = dev_set_param(&global_device, name, val);
+		if (ret)
+			return ret;
 	}
 
-	ret = dev_set_param(&global_device, name, val);
-	if (ret)
-		return ret;
-
 	if (p) {
 		free(p->value);
 		p->value = xstrdup(val);
-- 
cgit v1.2.3