summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Engelbrecht <sudoman@ninthfloor.org>2014-12-01 12:22:48 -0500
committerPatrick Georgi <pgeorgi@google.com>2014-12-02 10:15:00 +0100
commite8905312f066fc899089edebe803873819f2b920 (patch)
tree80165da2c7e35b1b0a024cc5f29d3c8b9b1f98f5
parente0e784a456c4d64e5e88ce578371fe6c538db559 (diff)
downloadcoreboot-e8905312f066fc899089edebe803873819f2b920.tar.xz
nvramtool: cmos_read(): Use malloc() instead of alloca()
Fixes crash occurring when 'nvramtool -a' tried to free a prematurely freed pointer. (Tested on x60) malloc() is correct because the pointer is accessed outside the calling function. The pointer is freed in the parent function list_cmos_entry(). Change-Id: I1723f09740657f0f0d9e6954bd6d11c0a3820a42 Signed-off-by: Andrew Engelbrecht <sudoman@ninthfloor.org> Reviewed-on: http://review.coreboot.org/7620 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <pgeorgi@google.com> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
-rw-r--r--util/nvramtool/cmos_lowlevel.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/util/nvramtool/cmos_lowlevel.c b/util/nvramtool/cmos_lowlevel.c
index 618e8d2b27..c46e48062d 100644
--- a/util/nvramtool/cmos_lowlevel.c
+++ b/util/nvramtool/cmos_lowlevel.c
@@ -112,6 +112,9 @@ static inline void put_bits(unsigned char value, unsigned bit,
* Read value from nonvolatile RAM at position given by 'bit' and 'length'
* and return this value. The I/O privilege level of the currently executing
* process must be set appropriately.
+ *
+ * Returned value is either (unsigned long long), or malloc()'d (char *)
+ * cast to (unsigned long long)
****************************************************************************/
unsigned long long cmos_read(const cmos_entry_t * e)
{
@@ -126,7 +129,7 @@ unsigned long long cmos_read(const cmos_entry_t * e)
if (e->config == CMOS_ENTRY_STRING) {
int strsz = (length + 7) / 8;
- char *newstring = alloca(strsz);
+ char *newstring = malloc(strsz);
unsigned usize = (8 * sizeof(unsigned long long));
if (!newstring) {