hush: fix segfault on syntax error

Hush segfaults if it sees a syntax error while attempting to parse a command: $ ./u-boot -c "'" ... syntax error Segmentation fault (core dumped) This is due to a NULL pointer dereference of in_str->p in static_peek(). The problem is that the exit condition for the loop in parse_stream_outer() checks for rcode not being -1, but rcode is only ever 0 or 1. Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Simon Glass <sjg@chromium.org) Tested-by: Simon Glass <sjg@chromium.org)

hush: fix segfault on syntax error
Hush segfaults if it sees a syntax error while attempting to parse a command: $ ./u-boot -c "'" ... syntax error Segmentation fault (core dumped) This is due to a NULL pointer dereference of in_str->p in static_peek(). The problem is that the exit condition for the loop in parse_stream_outer() checks for rcode not being -1, but rcode is only ever 0 or 1. Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Simon Glass <sjg@chromium.org) Tested-by: Simon Glass <sjg@chromium.org)
Rabin Vincent · Tom Rini · Eric Lee · Eric Lee · Eric Lee · Eric Lee
1 parent 484408fb51
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
common/cli_hush.c
@@ -3217,7 +3217,7 @@
 		}
 		b_free(&temp);
 	/* loop on syntax errors, return on EOF */
-	} while (rcode != -1 && !(flag & FLAG_EXIT_FROM_LOOP) &&
+	} while (rcode != 1 && !(flag & FLAG_EXIT_FROM_LOOP) &&
 		(inp->peek != static_peek || b_peek(inp)));
 #ifndef __U_BOOT__
 	return 0;
...	...	@@ -3217,7 +3217,7 @@
3217	3217	}
3218	3218	b_free(&temp);
3219	3219	/* loop on syntax errors, return on EOF */
3220		- } while (rcode != -1 && !(flag & FLAG_EXIT_FROM_LOOP) &&
	3220	+ } while (rcode != 1 && !(flag & FLAG_EXIT_FROM_LOOP) &&
3221	3221	(inp->peek != static_peek \|\| b_peek(inp)));
3222	3222	#ifndef __U_BOOT__
3223	3223	return 0;