[PATCH] net: Fix memory corruption in eth_halt() if the stop handler frees the priv member
Bernhard Rosenkränzer
bero at baylibre.com
Mon Dec 12 21:44:11 CET 2022
Calling eth_halt() could result in memory corruption if the stop()
handler frees or modifies the priv member.
A stored value of dev_get_uclass_priv() is assumed to remain valid
after the stop() handler has been called, which is not always the
case (e.g. rndis over usb gadget).
Re-check the priv pointer after calling the stop() handler.
Signed-off-by: Bernhard Rosenkränzer <bero at baylibre.com>
---
net/eth-uclass.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/eth-uclass.c b/net/eth-uclass.c
index f41da4b37b..410f3310c7 100644
--- a/net/eth-uclass.c
+++ b/net/eth-uclass.c
@@ -343,6 +343,11 @@ void eth_halt(void)
return;
eth_get_ops(current)->stop(current);
+
+ priv = dev_get_uclass_priv(current);
+ if (!priv || !priv->running)
+ return;
+
priv->state = ETH_STATE_PASSIVE;
priv->running = false;
}
--
2.38.1
More information about the U-Boot
mailing list