[PATCH] uefi: uefivarinfo: fix double free on data (LP: #1372874)
Colin King
colin.king at canonical.com
Tue Sep 23 10:31:49 UTC 2014
From: Colin Ian King <colin.king at canonical.com>
Commit 728cbed162d88306e5fb10623fb37b282e21f73f "uefivarinfo: allocate
buffer rewrite to avoid realloc failure (LP: #1362540)" introduced
a double free on data as detected by Coverity Scan:
*** CID 1240201: Double free (USE_AFTER_FREE)
/src/uefi/uefivarinfo/uefivarinfo.c: 160 in do_checkvariables()
154 free(data);
155 return FWTS_ERROR;
156 }
157 }
158 }
159
>>> CID 1240201: Double free (USE_AFTER_FREE)
>>> Calling "free" frees pointer "data" which has already been freed.
160 free(data);
Free data in appropriate places to ensure we don't do a double free
Signed-off-by: Colin Ian King <colin.king at canonical.com>
---
src/uefi/uefivarinfo/uefivarinfo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c
index a4d2783..41296c6 100644
--- a/src/uefi/uefivarinfo/uefivarinfo.c
+++ b/src/uefi/uefivarinfo/uefivarinfo.c
@@ -127,12 +127,13 @@ static int do_checkvariables(
ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable);
if (ioret == -1) {
- free(data);
if (status != EFI_BUFFER_TOO_SMALL) {
+ free(data);
fwts_log_info(fw, "Failed to get variable with UEFI runtime service.");
fwts_uefi_print_status_info(fw, status);
return FWTS_ERROR;
} else if (getdatasize > maxvarsize) {
+ free(data);
fwts_log_info(fw, "Variable is larger than maximum variable length.");
fwts_uefi_print_status_info(fw, status);
@@ -156,7 +157,6 @@ static int do_checkvariables(
}
}
}
-
free(data);
(*usedvarssize) += getdatasize;
--
2.1.0
More information about the fwts-devel
mailing list