[PATCH] uefi: uefivarinfo: fix double free on data (LP: #1372874)

Colin King colin.king at canonical.com
Tue Sep 23 10:31:49 UTC 2014


From: Colin Ian King <colin.king at canonical.com>

Commit 728cbed162d88306e5fb10623fb37b282e21f73f "uefivarinfo: allocate
buffer rewrite to avoid realloc failure (LP: #1362540)" introduced
a double free on data as detected by Coverity Scan:

*** CID 1240201:  Double free  (USE_AFTER_FREE)
/src/uefi/uefivarinfo/uefivarinfo.c: 160 in do_checkvariables()
154     					free(data);
155     					return FWTS_ERROR;
156     				}
157     			}
158     		}
159
>>>     CID 1240201:  Double free  (USE_AFTER_FREE)
>>>     Calling "free" frees pointer "data" which has already been freed.
160     		free(data);

Free data in appropriate places to ensure we don't do a double free

Signed-off-by: Colin Ian King <colin.king at canonical.com>
---
 src/uefi/uefivarinfo/uefivarinfo.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c
index a4d2783..41296c6 100644
--- a/src/uefi/uefivarinfo/uefivarinfo.c
+++ b/src/uefi/uefivarinfo/uefivarinfo.c
@@ -127,12 +127,13 @@ static int do_checkvariables(
 
 		ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable);
 		if (ioret == -1) {
-			free(data);
 			if (status != EFI_BUFFER_TOO_SMALL) {
+				free(data);
 				fwts_log_info(fw, "Failed to get variable with UEFI runtime service.");
 				fwts_uefi_print_status_info(fw, status);
 				return FWTS_ERROR;
 			} else if (getdatasize > maxvarsize) {
+				free(data);
 				fwts_log_info(fw, "Variable is larger than maximum variable length.");
 				fwts_uefi_print_status_info(fw, status);
 
@@ -156,7 +157,6 @@ static int do_checkvariables(
 				}
 			}
 		}
-
 		free(data);
 
 		(*usedvarssize) += getdatasize;
-- 
2.1.0




More information about the fwts-devel mailing list