From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tom Rini <trini@konsulko.com>
Date: Wed, 7 Oct 2015 10:19:29 -0400
Subject: [U-Boot] [PATCH] tools/proftool: fix use-after-free
In-Reply-To: <1444225728-23057-1-git-send-email-vincent.stehle@freescale.com>
References: <1444225728-23057-1-git-send-email-vincent.stehle@freescale.com>
Message-ID: <20151007141929.GO3829@bill-the-cat>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Wed, Oct 07, 2015 at 03:48:48PM +0200, Vincent Stehl? wrote:

> The read_trace_config() can dereference the line pointer after freeing
> it on its error path. Avoid that.
> 
> This was found by Coverity Scan.
> 
> Signed-off-by: Vincent Stehl? <vincent.stehle@freescale.com>
> Cc: Simon Glass <sjg@chromium.org>

Were you in the Coverity talk too? :)  I saw this error as well today
now.  I was actually thinking along the lines of:
diff --git a/tools/proftool.c b/tools/proftool.c
index 9ce7a77..b3d3057 100644
--- a/tools/proftool.c
+++ b/tools/proftool.c
@@ -433,8 +433,9 @@ static int read_trace_config(FILE *fin)
                err = regcomp(&line->regex, tok, REG_NOSUB);
                if (err) {
                        free(line);
-                       return regex_report_error(&line->regex, err, "compile",
+                       err = regex_report_error(&line->regex, err, "compile",
                                                  tok);
+                       return err;
                }
 
                /* link this new one to the end of the list */

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20151007/38022432/attachment.sig>