By giving a bogus partition name, it's possible to trigger a null pointer dereference.
Signed-off-by: Jason A. Donenfeld <[email protected]> --- drivers/mtd/redboot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/mtd/redboot.c b/drivers/mtd/redboot.c index 7623ac5fc586..53949ef80d36 100644 --- a/drivers/mtd/redboot.c +++ b/drivers/mtd/redboot.c @@ -212,6 +212,10 @@ static int parse_redboot_partitions(struct mtd_info *master, nrparts++; } + if (!fl) { + ret = -EINVAL; + goto out; + } #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED if (fl->img->flash_base) { nrparts++; -- 2.11.0
