On Thu, Nov 12, 2020 at 06:19:27PM +0100, Ahmad Fatoum wrote: > From: Ahmad Fatoum <ahmad@xxxxxx> > > When we use hush to set the same nv.var twice to the empty string: > > $ nv.user= > $ nv.user= > > nv_set is called twice with a NULL val argument leading > to a double free and accompanied memory corruption. > > Reorder the code, so p->value is freed just once. > > Fixes: fa4c41ba60af ("nvvar: when setting a nvvar to NULL just free the content") > Cc: Holger Assmann <has@xxxxxxxxxxxxxx> > Signed-off-by: Ahmad Fatoum <ahmad@xxxxxx> > --- > common/globalvar.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) Applied, thanks Sascha > > diff --git a/common/globalvar.c b/common/globalvar.c > index 60793d7a30c6..a55b38b00fd5 100644 > --- a/common/globalvar.c > +++ b/common/globalvar.c > @@ -179,16 +179,12 @@ static int nv_set(struct device_d *dev, struct param_d *p, const char *name, con > { > int ret; > > - if (!val) { > - if (p) > - free(p->value); > - return 0; > + if (val) { > + ret = dev_set_param(&global_device, name, val); > + if (ret) > + return ret; > } > > - ret = dev_set_param(&global_device, name, val); > - if (ret) > - return ret; > - > if (p) { > free(p->value); > p->value = xstrdup(val); > -- > 2.28.0 > > > _______________________________________________ > barebox mailing list > barebox@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/barebox > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox