tools: fwumdata: Fix use-after-free in parse_config()
In parse_config(), devname is dynamically allocated by sscanf().
When sscanf() fails to fill enough fields (rc < 3), devname is freed and
the loop continues to the next line. However, if the next call to sscanf()
fails to match (rc == 0), devname is not written and still holds the stale
freed pointer. The subsequent free(devname) then operates on
already-freed memory.
Fix this by resetting devname to NULL before each sscanf() call, so
that a non-matching call leaves a NULL pointer and the subsequent
free() becomes a harmless no-op.
Reported-by: Coverity Scan
Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
projects / thirdparty / u-boot.git / commit
