diff options
| author | Angel Pons <th3fanbus@gmail.com> | 2020-10-19 14:20:36 +0200 |
|---|---|---|
| committer | Felix Singer <felixsinger@posteo.net> | 2022-09-29 17:03:55 +0000 |
| commit | 30b87356f09dd2508e555a4296847fe256794d7c (patch) | |
| tree | 81713b7a5c0070b0b4785b17b9b555175fbac49d | |
| parent | a3983c779600bbb265c08ad1ff57c07593294c2f (diff) | |
| download | flashrom-30b87356f09dd2508e555a4296847fe256794d7c.tar.gz flashrom-30b87356f09dd2508e555a4296847fe256794d7c.tar.bz2 flashrom-30b87356f09dd2508e555a4296847fe256794d7c.zip | |
it87spi.c: Prevent use-after-free bug
The memory for the `param` string is aliased by `dualbiosindex_suffix`.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.
Change-Id: I79f18f6077c77c0cbb8bfa431e17f9b079f11c95
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/46551
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/67841
Reviewed-by: Felix Singer <felixsinger@posteo.net>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
| -rw-r--r-- | it87spi.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -139,12 +139,13 @@ static uint16_t it87spi_probe(uint16_t port) char *dualbiosindex_suffix; errno = 0; long chip_index = strtol(param, &dualbiosindex_suffix, 0); - free(param); if (errno != 0 || *dualbiosindex_suffix != '\0' || chip_index < 0 || chip_index > 1) { msg_perr("DualBIOS: Invalid chip index requested - choose 0 or 1.\n"); + free(param); exit_conf_mode_ite(port); return 1; } + free(param); if (chip_index != (tmp & 1)) { msg_pdbg("DualBIOS: Previous chip index: %d\n", tmp & 1); sio_write(port, 0xEF, (tmp & 0xFE) | chip_index); |