[PATCH] tools: fwumdata: Fix use-after-free in parse_config()
Kory Maincent
kory.maincent at bootlin.com
Tue Apr 7 14:34:35 CEST 2026
In parse_config(), devname is dynamically allocated by sscanf().
When sscanf() fails to fill enough fields (rc < 3), devname is freed and
the loop continues to the next line. However, if the next call to sscanf()
fails to match (rc == 0), devname is not written and still holds the stale
freed pointer. The subsequent free(devname) then operates on
already-freed memory.
Fix this by resetting devname to NULL before each sscanf() call, so
that a non-matching call leaves a NULL pointer and the subsequent
free() becomes a harmless no-op.
Reported-by: Coverity Scan
Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html
Signed-off-by: Kory Maincent <kory.maincent at bootlin.com>
---
tools/fwumdata_src/fwumdata.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/fwumdata_src/fwumdata.c b/tools/fwumdata_src/fwumdata.c
index c5b0f56842d..44195ce2bf2 100644
--- a/tools/fwumdata_src/fwumdata.c
+++ b/tools/fwumdata_src/fwumdata.c
@@ -84,6 +84,7 @@ static int parse_config(const char *fname)
if (line[0] == '#' || line[0] == '\n')
continue;
+ devname = NULL;
rc = sscanf(line, "%ms %lli %lx %lx",
&devname,
&devices[i].devoff,
--
2.43.0
More information about the U-Boot
mailing list