From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?windows-1252?Q?Vincent_Stehl=E9?= <vincent.stehle@freescale.com>
Date: Wed, 7 Oct 2015 16:35:53 +0200
Subject: [U-Boot] [PATCH] tools/proftool: fix use-after-free
In-Reply-To: <20151007141929.GO3829@bill-the-cat>
References: <1444225728-23057-1-git-send-email-vincent.stehle@freescale.com>
 <20151007141929.GO3829@bill-the-cat>
Message-ID: <56152DC9.3060009@freescale.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 10/07/2015 04:19 PM, Tom Rini wrote:
..
> Were you in the Coverity talk too? :)

Hi Tom,

No, I was not following that talk, sorry.

..
>                         free(line);
> -                       return regex_report_error(&line->regex, err, "compile",
> +                       err = regex_report_error(&line->regex, err, "compile",
>                                                   tok);
> +                       return err;

I am not sure you solve the problem this way. Indeed the structure
pointed to by the line pointer will still have been freed before use
even this way. Who knows what the memory contains when regerror() will
access &line->regex, which is contained into the freed structure?

Best regards,

V.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20151007/15a57976/attachment.sig>