flash/nor/core: fix double-free crash with 'virtual' flash banks

flash_bank structure of 'virtual' flash driver is a full copy of
the master flash_bank structure including bank->sectors and
bank->prot_blocks pointers. These pointers point to memory
locations allocated by the master driver and thus master driver
is responsible for deallocating them.
Do not free bank->sectors and bank->prot_blocks of 'virtual'
driver since they were already released by master flash driver.

Change-Id: I01f373d4adb3fc79e2724964926b9276442c5c52
Signed-off-by: Bohdan Tymkiv <bhdt@cypress.com>
Reviewed-on: http://openocd.zylin.com/4504
Tested-by: jenkins
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>

1 files changed, 10 insertions, 2 deletions

diff --git a/src/flash/nor/core.c b/src/flash/nor/core.c
index f05c68b..4941281 100644
--- a/src/flash/nor/core.c
+++ b/src/flash/nor/core.c
@@ -188,9 +188,17 @@ void flash_free_all_banks(void)
 		else
 			LOG_WARNING("Flash driver of %s does not support free_driver_priv()", bank->name);
 
+		/* For 'virtual' flash driver bank->sectors and bank->prot_blocks pointers are copied from
+		 * master flash_bank structure. They point to memory locations allocated by master flash driver
+		 * so master driver is responsible for releasing them.
+		 * Avoid UB caused by double-free memory corruption if flash bank is 'virtual'. */
+
+		if (strcmp(bank->driver->name, "virtual") != 0) {
+			free(bank->sectors);
+			free(bank->prot_blocks);
+		}
+
 		free(bank->name);
-		free(bank->sectors);
-		free(bank->prot_blocks);
 		free(bank);
 		bank = next;
 	}