diff options
| author | Angel Pons <th3fanbus@gmail.com> | 2020-10-19 14:20:36 +0200 |
|---|---|---|
| committer | Felix Singer <felixsinger@posteo.net> | 2022-09-29 17:01:57 +0000 |
| commit | ebaf0d423ac551ba58cfe9b89eb32cf629e31172 (patch) | |
| tree | e985725d6250186fff25075efbf585960e46f050 | |
| parent | 3265bb2427d6abb24f4d3760aa786d8adc466597 (diff) | |
| download | flashrom-ebaf0d423ac551ba58cfe9b89eb32cf629e31172.tar.gz flashrom-ebaf0d423ac551ba58cfe9b89eb32cf629e31172.tar.bz2 flashrom-ebaf0d423ac551ba58cfe9b89eb32cf629e31172.zip | |
it87spi.c: Prevent use-after-free bug
The memory for the `param` string is aliased by `dualbiosindex_suffix`.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.
Change-Id: I79f18f6077c77c0cbb8bfa431e17f9b079f11c95
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/46551
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/67851
Reviewed-by: Felix Singer <felixsinger@posteo.net>
| -rw-r--r-- | it87spi.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -135,12 +135,13 @@ static uint16_t it87spi_probe(uint16_t port) char *dualbiosindex_suffix; errno = 0; long chip_index = strtol(param, &dualbiosindex_suffix, 0); - free(param); if (errno != 0 || *dualbiosindex_suffix != '\0' || chip_index < 0 || chip_index > 1) { msg_perr("DualBIOS: Invalid chip index requested - choose 0 or 1.\n"); + free(param); exit_conf_mode_ite(port); return 1; } + free(param); if (chip_index != (tmp & 1)) { msg_pdbg("DualBIOS: Previous chip index: %d\n", tmp & 1); sio_write(port, 0xEF, (tmp & 0xFE) | chip_index); |