Hi,
-----Original Message-----
From: Huang, Wei <[email protected]>
Sent: Wednesday, March 17, 2021 4:22 PM
To: [email protected]; Xu, Rosen <[email protected]>; Zhang, Qi Z
<[email protected]>
Cc: [email protected]; Zhang, Tianfei <[email protected]>; Huang, Wei
<[email protected]>
Subject: [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free
In write_flash_image(), calling function "read" may taints variable "buf" which
turn to an untrusted value as argument of "rte_free".
Coverity issue: 367477
Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")
Signed-off-by: Wei Huang <[email protected]>
---
drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
index 28198abd78..d32f1eccb1 100644
--- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
+++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
@@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
uint32_t offset)
{
void *buf = NULL;
+ void *buf_to_free = NULL;
int retry = 0;
uint32_t length = 0;
uint32_t to_transfer = 0;
@@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
close(fd);
return -ENOMEM;
}
+ buf_to_free = buf;
length = smgr->rsu_length;
one_percent = length / 100;
@@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
printf("\n");
end:
- free(buf);
+ free(buf_to_free);
close(fd);
return ret;
}
--
2.29.2
Acked-by: Rosen Xu <[email protected]>
