tools: fwumdata: Fix use-after-free in parse_config()

In parse_config(), devname is dynamically allocated by sscanf(). When sscanf() fails to fill enough fields (rc < 3), devname is freed and the loop continues to the next line. However, if the next call to sscanf() fails to match (rc == 0), devname is not written and still holds the stale freed pointer. The subsequent free(devname) then operates on already-freed memory. Fix this by resetting devname to NULL before each sscanf() call, so that a non-matching call leaves a NULL pointer and the subsequent free() becomes a harmless no-op. Reported-by: Coverity Scan Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2026-06-02 09:46:37 +03:00 · 2026-04-07 14:34:35 +02:00
parent 5732bd0f45
commit d5ea30b233
1 changed files with 1 additions and 0 deletions
--- a/tools/fwumdata_src/fwumdata.c
+++ b/tools/fwumdata_src/fwumdata.c
@@ -84,6 +84,7 @@ static int parse_config(const char *fname)
 		if (line[0] == '#' || line[0] == '\n')
 			continue;

+		devname = NULL;
 		rc = sscanf(line, "%ms %lli %lx %lx",
 			    &devname,
 			    &devices[i].devoff,