From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rini Date: Wed, 7 Oct 2015 11:42:31 -0400 Subject: [U-Boot] [PATCH] tools/proftool: fix use-after-free In-Reply-To: <56152DC9.3060009@freescale.com> References: <1444225728-23057-1-git-send-email-vincent.stehle@freescale.com> <20151007141929.GO3829@bill-the-cat> <56152DC9.3060009@freescale.com> Message-ID: <20151007154231.GP3829@bill-the-cat> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Wed, Oct 07, 2015 at 04:35:53PM +0200, Vincent Stehl? wrote: > On 10/07/2015 04:19 PM, Tom Rini wrote: > .. > > Were you in the Coverity talk too? :) > > Hi Tom, > > No, I was not following that talk, sorry. Ah, coincidence then. > .. > > free(line); > > - return regex_report_error(&line->regex, err, "compile", > > + err = regex_report_error(&line->regex, err, "compile", > > tok); > > + return err; > > I am not sure you solve the problem this way. Indeed the structure > pointed to by the line pointer will still have been freed before use > even this way. Who knows what the memory contains when regerror() will > access &line->regex, which is contained into the freed structure? Er, bah. That's what I get for writing something in the middle of listening to a talk too. I meant to also move the free() to after the regex_report_error call and just avoid adding another variable. -- Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: