[PATCH] net: phy: ncsi: fixed not nullify the pointers after free

[PATCH] net: phy: ncsi: fixed not nullify the pointers after free

[Jacky Chou]

The issue occurs the UAF (use-after-free) to cause double free
when do the realloc function for the pointers during the
reinitialization NC-SI process, and it will cause the memory
management occurs error.
So, nullify these pointers after free.

Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
---
 drivers/net/phy/ncsi.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c
index eb3fd65bb4..9689385884 100644
--- a/drivers/net/phy/ncsi.c
+++ b/drivers/net/phy/ncsi.c
@@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len)
 
 	/* Link or configuration lost - just redo the discovery process */
 	ncsi_priv->state = NCSI_PROBE_PACKAGE_SP;
-	for (i = 0; i < ncsi_priv->n_packages; i++)
+	for (i = 0; i < ncsi_priv->n_packages; i++) {
 		free(ncsi_priv->packages[i].channels);
+		ncsi_priv->packages[i].channels = NULL;
+	}
 	free(ncsi_priv->packages);
+	ncsi_priv->packages = NULL;
 	ncsi_priv->n_packages = 0;
 
 	ncsi_priv->current_package = NCSI_PACKAGE_MAX;
-- 
2.34.1

Re: [PATCH] net: phy: ncsi: fixed not nullify the pointers after free

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 431 bytes --]

On Fri, Dec 29, 2023 at 09:45:55AM +0800, Jacky Chou wrote:

> The issue occurs the UAF (use-after-free) to cause double free
> when do the realloc function for the pointers during the
> reinitialization NC-SI process, and it will cause the memory
> management occurs error.
> So, nullify these pointers after free.
> 
> Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>

Applied to u-boot/next, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]