diff options
author | Jacky Chou <jacky_chou@aspeedtech.com> | 2023-12-29 09:45:55 +0800 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2024-03-26 19:58:26 -0400 |
commit | 22f314e01ce249ec1649623ef725552f677beb62 (patch) | |
tree | 79f8c56d6ffef80d1f082b8442ce977dfdea5fc9 /drivers/net/phy | |
parent | ab8d9ca3044acf51d8ff3bf3c4718c48f30ad606 (diff) | |
download | u-boot-22f314e01ce249ec1649623ef725552f677beb62.zip u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.gz u-boot-22f314e01ce249ec1649623ef725552f677beb62.tar.bz2 |
net: phy: ncsi: fixed not nullify the pointers after free
The issue occurs the UAF (use-after-free) to cause double free
when do the realloc function for the pointers during the
reinitialization NC-SI process, and it will cause the memory
management occurs error.
So, nullify these pointers after free.
Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
Diffstat (limited to 'drivers/net/phy')
-rw-r--r-- | drivers/net/phy/ncsi.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c index eb3fd65..9689385 100644 --- a/drivers/net/phy/ncsi.c +++ b/drivers/net/phy/ncsi.c @@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len) /* Link or configuration lost - just redo the discovery process */ ncsi_priv->state = NCSI_PROBE_PACKAGE_SP; - for (i = 0; i < ncsi_priv->n_packages; i++) + for (i = 0; i < ncsi_priv->n_packages; i++) { free(ncsi_priv->packages[i].channels); + ncsi_priv->packages[i].channels = NULL; + } free(ncsi_priv->packages); + ncsi_priv->packages = NULL; ncsi_priv->n_packages = 0; ncsi_priv->current_package = NCSI_PACKAGE_MAX; |