From 5753dc3f6572d42057a262f0e57e904e5c9cd9bc Mon Sep 17 00:00:00 2001
From: Andrew Goodbody <andrew.goodbody@linaro.org>
Date: Wed, 2 Jul 2025 11:01:37 +0100
Subject: [PATCH] efi_loader: Prevent dereference of uninitialised variable

If phandler is returned as NULL from efi_search_protocol then
protocol_interface is never assigned to. Instead return
EFI_UNSUPPORTED as per the spec.

This issue found by Smatch.

Also eliminate the use of the variable protocol_interface as it is not
needed.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/efi_loader/efi_http.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/efi_loader/efi_http.c b/lib/efi_loader/efi_http.c
index 189317fe2d2..9a0f2675132 100644
--- a/lib/efi_loader/efi_http.c
+++ b/lib/efi_loader/efi_http.c
@@ -453,7 +453,6 @@ static efi_status_t EFIAPI efi_http_service_binding_destroy_child(
 	efi_status_t ret = EFI_SUCCESS;
 	struct efi_http_instance *http_instance;
 	struct efi_handler *phandler;
-	void *protocol_interface;
 
 	if (num_instances == 0)
 		return EFI_EXIT(EFI_NOT_FOUND);
@@ -463,18 +462,18 @@ static efi_status_t EFIAPI efi_http_service_binding_destroy_child(
 
 	efi_search_protocol(child_handle, &efi_http_guid, &phandler);
 
-	if (phandler)
-		protocol_interface = phandler->protocol_interface;
+	if (!phandler)
+		return EFI_EXIT(EFI_UNSUPPORTED);
 
 	ret = efi_delete_handle(child_handle);
 	if (ret != EFI_SUCCESS)
 		return EFI_EXIT(ret);
 
-	http_instance = (struct efi_http_instance *)protocol_interface;
+	http_instance = phandler->protocol_interface;
 	efi_free_pool(http_instance->http_load_addr);
 	http_instance->http_load_addr = NULL;
 
-	free(protocol_interface);
+	free(phandler->protocol_interface);
 
 	num_instances--;
 
-- 
2.47.2