dummyflasher.c: Prevent use-after-free bug

The memory for the `status` string is aliased by the `endptr` pointer. Moreover, `errno` could have been modified by the call to `free()`. Therefore, only free the former when there are no more uses of either. Change-Id: I1b56834004fe18918213a7df0a09a8a7ecb56985 Signed-off-by: Angel Pons <th3fanbus@gmail.com> Reviewed-on: https://review.coreboot.org/c/flashrom/+/54909 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Edward O'Callaghan <quasisec@chromium.org> Reviewed-by: Anastasia Klimchuk <aklm@chromium.org>
2025-04-27 23:22:37 +02:00 · 2021-05-25 13:03:24 +02:00 · 2021-05-25 13:03:24 +02:00 · be5af628bd
commit be5af628bd
parent 2ef2efa0fa
1 changed files with 2 additions and 1 deletions
--- a/dummyflasher.c
+++ b/dummyflasher.c
@ -962,12 +962,13 @@ int dummy_init(void)
 	if (status) {
 		errno = 0;
 		data->emu_status = strtoul(status, &endptr, 0);
-		free(status);
 		if (errno != 0 || status == endptr) {
+			free(status);
 			msg_perr("Error: initial status register specified, "
 				 "but the value could not be converted.\n");
 			return 1;
 		}
+		free(status);
 		msg_pdbg("Initial status register is set to 0x%02x.\n",
 			 data->emu_status);
 	}