summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorJacky Chou <[email protected]>2023-12-29 09:45:55 +0800
committerTom Rini <[email protected]>2024-03-26 19:58:26 -0400
commit22f314e01ce249ec1649623ef725552f677beb62 (patch)
tree79f8c56d6ffef80d1f082b8442ce977dfdea5fc9 /drivers
parentab8d9ca3044acf51d8ff3bf3c4718c48f30ad606 (diff)
net: phy: ncsi: fixed not nullify the pointers after free
The issue occurs the UAF (use-after-free) to cause double free when do the realloc function for the pointers during the reinitialization NC-SI process, and it will cause the memory management occurs error. So, nullify these pointers after free. Signed-off-by: Jacky Chou <[email protected]>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/phy/ncsi.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/phy/ncsi.c b/drivers/net/phy/ncsi.c
index eb3fd65bb47..96893858847 100644
--- a/drivers/net/phy/ncsi.c
+++ b/drivers/net/phy/ncsi.c
@@ -619,9 +619,12 @@ static void ncsi_handle_aen(struct ip_udp_hdr *ip, unsigned int len)
/* Link or configuration lost - just redo the discovery process */
ncsi_priv->state = NCSI_PROBE_PACKAGE_SP;
- for (i = 0; i < ncsi_priv->n_packages; i++)
+ for (i = 0; i < ncsi_priv->n_packages; i++) {
free(ncsi_priv->packages[i].channels);
+ ncsi_priv->packages[i].channels = NULL;
+ }
free(ncsi_priv->packages);
+ ncsi_priv->packages = NULL;
ncsi_priv->n_packages = 0;
ncsi_priv->current_package = NCSI_PACKAGE_MAX;
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-02 11:06:24 +0000