]> git.ipfire.org Git - thirdparty/u-boot.git/commitdiff
projects / thirdparty / u-boot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab8d9ca)
net: phy: ncsi: fixed not nullify the pointers after free
authorJacky Chou <jacky_chou@aspeedtech.com>
Fri, 29 Dec 2023 01:45:55 +0000 (09:45 +0800)
committerTom Rini <trini@konsulko.com>
Tue, 26 Mar 2024 23:58:26 +0000 (19:58 -0400)
The issue occurs the UAF (use-after-free) to cause double free
when do the realloc function for the pointers during the
reinitialization NC-SI process, and it will cause the memory
management occurs error.
So, nullify these pointers after free.

Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
drivers/net/phy/ncsi.c patch | blob | blame | history

diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c
index eb3fd65bb47f48866ddbfd98ce945f83347303ec..9689385884753797646f813103cc1240ba4e7c15 100644 (file)
--- a/drivers/net/phy/ncsi.c
+++ b/drivers/net/phy/ncsi.c
@@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len)
 
        /* Link or configuration lost - just redo the discovery process */
        ncsi_priv->state = NCSI_PROBE_PACKAGE_SP;
-       for (i = 0; i < ncsi_priv->n_packages; i++)
+       for (i = 0; i < ncsi_priv->n_packages; i++) {
                free(ncsi_priv->packages[i].channels);
+               ncsi_priv->packages[i].channels = NULL;
+       }
        free(ncsi_priv->packages);
+       ncsi_priv->packages = NULL;
        ncsi_priv->n_packages = 0;
 
        ncsi_priv->current_package = NCSI_PACKAGE_MAX;
"Das U-Boot" Source Tree