net: phy: ncsi: fixed not nullify the pointers after free

The issue occurs the UAF (use-after-free) to cause double free when do the realloc function for the pointers during the reinitialization NC-SI process, and it will cause the memory management occurs error. So, nullify these pointers after free. Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
author: Jacky Chou <jacky_chou@aspeedtech.com> 2023-12-29 09:45:55 +0800
committer: Tom Rini <trini@konsulko.com> 2024-03-26 19:58:26 -0400
commit: 22f314e01ce249ec1649623ef725552f677beb62 (patch)
tree: 79f8c56d6ffef80d1f082b8442ce977dfdea5fc9 /drivers/net/phy
parent: ab8d9ca3044acf51d8ff3bf3c4718c48f30ad606 (diff)
download: u-boot-22f314e01ce249ec1649623ef725552f677beb62.zip
u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.gz
u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.bz2
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c
index eb3fd65..9689385 100644
--- a/drivers/net/phy/ncsi.c
+++ b/drivers/net/phy/ncsi.c
@@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len)
 
 	/* Link or configuration lost - just redo the discovery process */
 	ncsi_priv->state = NCSI_PROBE_PACKAGE_SP;
-	for (i = 0; i < ncsi_priv->n_packages; i++)
+	for (i = 0; i < ncsi_priv->n_packages; i++) {
 		free(ncsi_priv->packages[i].channels);
+		ncsi_priv->packages[i].channels = NULL;
+	}
 	free(ncsi_priv->packages);
+	ncsi_priv->packages = NULL;
 	ncsi_priv->n_packages = 0;
 
 	ncsi_priv->current_package = NCSI_PACKAGE_MAX;
author	Jacky Chou <jacky_chou@aspeedtech.com>	2023-12-29 09:45:55 +0800
committer	Tom Rini <trini@konsulko.com>	2024-03-26 19:58:26 -0400
commit	22f314e01ce249ec1649623ef725552f677beb62 (patch)
tree	79f8c56d6ffef80d1f082b8442ce977dfdea5fc9 /drivers/net/phy
parent	ab8d9ca3044acf51d8ff3bf3c4718c48f30ad606 (diff)
download	u-boot-22f314e01ce249ec1649623ef725552f677beb62.zip u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.gz u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.bz2