bootstd: android: avoid possible null pointer dereference

- avb_slot_verify_data_free() doesn't check its data parameter
- out_data can be null if avb_slot_verify() fails to allocate memory

Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Link: https://lore.kernel.org/r/20250402144219.1875067-1-bisson.gary@gmail.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@kernel.org>

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index a5a86b29d7f02ec5be7989af251153cecf29b489..654ebfdf1fcc46c54b7731a70bdef1072880fc8c 100644 (file)
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -455,7 +455,8 @@ static int run_avb_verification(struct bootflow *bflow)
                if (result != AVB_SLOT_VERIFY_RESULT_OK) {
                        printf("Verification failed, reason: %s\n",
                               str_avb_slot_error(result));
-                       avb_slot_verify_data_free(out_data);
+                       if (out_data)
+                               avb_slot_verify_data_free(out_data);
                        return log_msg_ret("avb verify", -EIO);
                }
                boot_state = AVB_GREEN;
@@ -465,7 +466,8 @@ static int run_avb_verification(struct bootflow *bflow)
                    result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
                        printf("Unlocked verification failed, reason: %s\n",
                               str_avb_slot_error(result));
-                       avb_slot_verify_data_free(out_data);
+                       if (out_data)
+                               avb_slot_verify_data_free(out_data);
                        return log_msg_ret("avb verify unlocked", -EIO);
                }
                boot_state = AVB_ORANGE;