When we use hush to set the same nv.var twice to the empty string: $ nv.user= $ nv.user= nv_set is called twice with a NULL val argument leading to a double free and accompanied memory corruption. Reorder the code, so p->value is freed just once. Fixes: fa4c41ba60af ("nvvar: when setting a nvvar to NULL just free the content") Cc: Holger Assmann <has@xxxxxxxxxxxxxx> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- v1 -> v2: Use correct author email in DCO --- common/globalvar.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/common/globalvar.c b/common/globalvar.c index 60793d7a30c6..a55b38b00fd5 100644 --- a/common/globalvar.c +++ b/common/globalvar.c @@ -179,16 +179,12 @@ static int nv_set(struct device_d *dev, struct param_d *p, const char *name, con { int ret; - if (!val) { - if (p) - free(p->value); - return 0; + if (val) { + ret = dev_set_param(&global_device, name, val); + if (ret) + return ret; } - ret = dev_set_param(&global_device, name, val); - if (ret) - return ret; - if (p) { free(p->value); p->value = xstrdup(val); -- 2.28.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox