From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Mon, 6 Oct 2025 13:39:03 +0000 (+0200)
Subject: efi_loader: correctly check if the HTTP protocol is found
X-Git-Tag: v2026.01-rc1~20^2~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=163f9d04fbd19cd1c39f2adad92e770b0a94a3a4;p=thirdparty%2Fu-boot.git

efi_loader: correctly check if the HTTP protocol is found

In function efi_http_service_binding_destroy_child() phandler is created as
as a local variable. If efi_search_protocol() fails, phandler will hold a
random value from the stack. Even it is not zero, we must not use it.

If efi_search_protocol() succeeds, the pointer has already be dereferenced,
so checking against NULL makes not sense here.

If ChildHandle is not a valid UEFI handle, we must return
EFI_INVALID_PARAMETER.

Use a single location for EFI_EXIT().

Addresses-Coverity-ID: CID 531974 (Unchecked return value)
Fixes: 5753dc3f6572 ("efi_loader: Prevent dereference of uninitialised variable")
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---

diff --git a/lib/efi_loader/efi_http.c b/lib/efi_loader/efi_http.c
index 9a0f2675132..2a606aa441e 100644
--- a/lib/efi_loader/efi_http.c
+++ b/lib/efi_loader/efi_http.c
@@ -460,14 +460,16 @@ static efi_status_t EFIAPI efi_http_service_binding_destroy_child(
 	if (!child_handle)
 		return EFI_EXIT(EFI_INVALID_PARAMETER);
 
-	efi_search_protocol(child_handle, &efi_http_guid, &phandler);
-
-	if (!phandler)
-		return EFI_EXIT(EFI_UNSUPPORTED);
+	ret = efi_search_protocol(child_handle, &efi_http_guid, &phandler);
+	if (ret != EFI_SUCCESS) {
+		if (ret != EFI_INVALID_PARAMETER)
+			ret = EFI_UNSUPPORTED;
+		goto out;
+	}
 
 	ret = efi_delete_handle(child_handle);
 	if (ret != EFI_SUCCESS)
-		return EFI_EXIT(ret);
+		goto out;
 
 	http_instance = phandler->protocol_interface;
 	efi_free_pool(http_instance->http_load_addr);
@@ -476,8 +478,8 @@ static efi_status_t EFIAPI efi_http_service_binding_destroy_child(
 	free(phandler->protocol_interface);
 
 	num_instances--;
-
-	return EFI_EXIT(EFI_SUCCESS);
+out:
+	return EFI_EXIT(ret);
 }
 
 /**