Re: [OSS-Tools] [PATCH 5/5] barebox-state: fix use after free in error path

[Roland Hieber]

For the whole series:

Reviewed-by: Roland Hieber 

On Wed, May 31, 2023 at 05:10:15PM +0200, Ahmad Fatoum wrote:
> blob_bin is freed a few lines above unconditionally, so freeing it
> again in the error path will cause a double free.
> 
> Signed-off-by: Ahmad Fatoum 
> ---
>  src/keystore-blob.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/src/keystore-blob.c b/src/keystore-blob.c
> index ed6ecb4eaa25..8ec07f0a3d56 100644
> --- a/src/keystore-blob.c
> +++ b/src/keystore-blob.c
> @@ -81,10 +81,8 @@ int keystore_get_secret(const char *name, const unsigned 
> char **key, int *key_le
>  
>   /* payload */
>   fd = open(blob_gen_payload, O_RDONLY);
> - if (fd < 0) {
> - free(blob_bin);
> + if (fd < 0)
>   return -errno;
> - }
>  
>   payload = xzalloc(len);
>   len = read(fd, payload, len);
> -- 
> 2.39.2
> 
> 
> 

-- 
Roland Hieber, Pengutronix e.K.  | r.hie...@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany| Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917- |

[OSS-Tools] [PATCH 5/5] barebox-state: fix use after free in error path

[Ahmad Fatoum]

blob_bin is freed a few lines above unconditionally, so freeing it
again in the error path will cause a double free.

Signed-off-by: Ahmad Fatoum 
---
 src/keystore-blob.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/keystore-blob.c b/src/keystore-blob.c
index ed6ecb4eaa25..8ec07f0a3d56 100644
--- a/src/keystore-blob.c
+++ b/src/keystore-blob.c
@@ -81,10 +81,8 @@ int keystore_get_secret(const char *name, const unsigned 
char **key, int *key_le
 
/* payload */
fd = open(blob_gen_payload, O_RDONLY);
-   if (fd < 0) {
-   free(blob_bin);
+   if (fd < 0)
return -errno;
-   }
 
payload = xzalloc(len);
len = read(fd, payload, len);
-- 
2.39.2