kern/rescue_parser: Ensure that parser allocated memory is not leaked

While it would appear unlikely that the memory allocated in *argv in
grub_parser_split_cmdline() would be leaked, we should try ensure that
it doesn't leak by calling grub_free() before we return from
grub_rescue_parse_line().

To avoid a possible double-free, grub_parser_split_cmdline() is being
changed to assign *argv = NULL when we've called grub_free() in the fail
section.

Fixes: CID 96680

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2 files changed, 10 insertions, 2 deletions

diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
index 6ab7aa427..9b7b31a51 100644
--- a/grub-core/kern/parser.c
+++ b/grub-core/kern/parser.c
@@ -298,6 +298,8 @@ grub_parser_split_cmdline (const char *cmdline,
 
  fail:
   grub_free (*argv);
+  *argv = NULL;
+  *argc = 0;
   goto out;
 }
 
diff --git a/grub-core/kern/rescue_parser.c b/grub-core/kern/rescue_parser.c
index 633836699..799641a03 100644
--- a/grub-core/kern/rescue_parser.c
+++ b/grub-core/kern/rescue_parser.c
@@ -36,10 +36,16 @@ grub_rescue_parse_line (char *line,
 
   if (grub_parser_split_cmdline (line, getline, getline_data, &n, &args)
       || n < 0)
-    return grub_errno;
+    {
+      grub_free(args);
+      return grub_errno;
+    }
 
   if (n == 0)
-    return GRUB_ERR_NONE;
+    {
+      grub_free(args);
+      return GRUB_ERR_NONE;
+    }
 
   /* In case of an assignment set the environment accordingly
      instead of calling a function.  */