[PATCH] net: Fix memory corruption in eth_halt() if the stop handler frees the priv member

Bernhard Rosenkränzer bero at baylibre.com
Mon Dec 12 21:44:11 CET 2022


Calling eth_halt() could result in memory corruption if the stop()
handler frees or modifies the priv member.

A stored value of dev_get_uclass_priv() is assumed to remain valid
after the stop() handler has been called, which is not always the
case (e.g. rndis over usb gadget).

Re-check the priv pointer after calling the stop() handler.

Signed-off-by: Bernhard Rosenkränzer <bero at baylibre.com>
---
 net/eth-uclass.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/eth-uclass.c b/net/eth-uclass.c
index f41da4b37b..410f3310c7 100644
--- a/net/eth-uclass.c
+++ b/net/eth-uclass.c
@@ -343,6 +343,11 @@ void eth_halt(void)
 		return;
 
 	eth_get_ops(current)->stop(current);
+
+	priv = dev_get_uclass_priv(current);
+	if (!priv || !priv->running)
+		return;
+
 	priv->state = ETH_STATE_PASSIVE;
 	priv->running = false;
 }
-- 
2.38.1



More information about the U-Boot mailing list