| Message ID | 20170526040748.10540-1-oohall@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
Oliver O'Halloran <oohall@gmail.com> writes: > In the bail-out path we call ffs_close() to tear down the partially > initialised ffs_handle. ffs_close() expects the entries list to be > initialised so we need to do that earlier to prevent a null pointer > dereference. Hah, I literally just hit this the other day when doing various crazy things, merged to master as of 25e42bad1f29384526d4ac1ad43dbd53505a687b
diff --git a/libflash/libffs.c b/libflash/libffs.c index dca40188edb8..763e061c7a19 100644 --- a/libflash/libffs.c +++ b/libflash/libffs.c @@ -256,6 +256,7 @@ int ffs_init(uint32_t offset, uint32_t max_size, struct blocklevel_device *bl, f->toc_offset = offset; f->max_size = max_size; f->bl = bl; + list_head_init(&f->hdr.entries); /* Convert and check flash header */ rc = ffs_check_convert_header(&f->hdr, &raw_hdr); @@ -298,7 +299,6 @@ int ffs_init(uint32_t offset, uint32_t max_size, struct blocklevel_device *bl, goto out; } - list_head_init(&f->hdr.entries); for (i = 0; i < be32_to_cpu(raw_hdr.entry_count); i++) { struct ffs_entry *ent = calloc(1, sizeof(struct ffs_entry)); if (!ent) {
In the bail-out path we call ffs_close() to tear down the partially initialised ffs_handle. ffs_close() expects the entries list to be initialised so we need to do that earlier to prevent a null pointer dereference. Signed-off-by: Oliver O'Halloran <oohall@gmail.com> --- libflash/libffs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)