[PATCH] tools: image-host: fix memory leak of info.name in signature functions

Mon May 25 17:09:56 CEST 2026

Hi Anton,

On 2026-05-21T19:14:00, Anton Moryakov <ant.v.moryakov at gmail.com> wrote:
> tools: image-host: fix memory leak of info.name in signature functions
>
> Static analysis reported that info.name (allocated via strdup() in
> fit_image_setup_sig()) is not freed in two functions:
>
> 1. fit_image_process_sig(): info.name leaked on error path and success path
> 2. fit_config_process_sig(): info.name leaked on error path and success path
>
> Fix: add free(info.name) in both error paths (after fit_image_setup_sig()
> failure) and at the end of successful execution paths.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
>
> tools/image-host.c | 4 ++++
>  1 file changed, 4 insertions(+)

> diff --git a/tools/image-host.c b/tools/image-host.c
> @@ -245,6 +245,7 @@ static int fit_image_process_sig(const char *keydir, const char *keyfile,
>       if (fit_image_setup_sig(&info, keydir, keyfile, fit, image_name,
>                               noffset, require_keys ? 'image' : NULL,
>                               engine_id, algo_name))
> +             free(info.name);
>               return -1;

The 'if' has no braces, so return -1 is now unconditional - the
function always returns -1, even on success. Same in
fit_config_process_sig()

Even with braces, fit_image_setup_sig() can return -1 at line 185 (the
fit_image_hash_get_algo() failure) before the memset(.) at line 191,
so info.name is an uninitialised stack value and free(info.name) is
undefined behaviour.

> diff --git a/tools/image-host.c b/tools/image-host.c
> @@ -272,6 +273,7 @@ static int fit_image_process_sig(const char *keydir, const char *keyfile,
>               return -1;
>       }
>       free(value);
> +     free(info.name);
>
>       /* Get keyname again, as FDT has changed and invalidated our pointer */
>       info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);

Freeing info.name mid-function is fragile - info is still used below
by info.crypto->add_verify_data(). Several other exit paths still
leak: the ret == -ENOENT return 0, the return -1 after sign failure,
the -ENOSPC return, and the add_verify_data() error return. Please use
a single cleanup label with goto, freeing info.name once at the end,
rather than sprinkling free() at only some return points. Same for
fit_config_process_sig().

BTW please run the FIT signing tests (test/py and binman tests that
exercise fit_image_process_sig) before resending - they would have
caught the missing-braces bug.

Regards,
Simon