Edward O'Callaghan has submitted this change. ( https://review.coreboot.org/c/flashrom/+/54909 )

Change subject: dummyflasher.c: Prevent use-after-free bug ......................................................................

dummyflasher.c: Prevent use-after-free bug

The memory for the `status` string is aliased by the `endptr` pointer. Moreover, `errno` could have been modified by the call to `free()`. Therefore, only free the former when there are no more uses of either.

Change-Id: I1b56834004fe18918213a7df0a09a8a7ecb56985 Signed-off-by: Angel Pons th3fanbus@gmail.com Reviewed-on: https://review.coreboot.org/c/flashrom/+/54909 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Edward O'Callaghan quasisec@chromium.org Reviewed-by: Anastasia Klimchuk aklm@chromium.org --- M dummyflasher.c 1 file changed, 2 insertions(+), 1 deletion(-)

Approvals: build bot (Jenkins): Verified Edward O'Callaghan: Looks good to me, approved Anastasia Klimchuk: Looks good to me, but someone else must approve

diff --git a/dummyflasher.c b/dummyflasher.c index 5defec0..560dbdc 100644 --- a/dummyflasher.c +++ b/dummyflasher.c @@ -962,12 +962,13 @@ if (status) { errno = 0; data->emu_status = strtoul(status, &endptr, 0); - free(status); if (errno != 0 || status == endptr) { + free(status); msg_perr("Error: initial status register specified, " "but the value could not be converted.\n"); return 1; } + free(status); msg_pdbg("Initial status register is set to 0x%02x.\n", data->emu_status); }