Fix 'use-after-free' or 'double-free' issues

cedelavergne-ledger · cedelavergne-ledger · commit 20a536ff7b0a · 2026-04-01T14:11:10.000+02:00
diff --git a/src/features/generic_tx_parser/tx_ctx.c b/src/features/generic_tx_parser/tx_ctx.c
@@ -165,23 +165,29 @@ static bool process_empty_tx(const s_tx_ctx *tx_ctx) {
 }
 
 bool process_empty_txs_before(void) {
-    for (list_node_t *tmp = ((list_node_t *) g_tx_ctx_current)->prev;
-         (tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL);
-         tmp = tmp->prev) {
+    list_node_t *tmp = ((list_node_t *) g_tx_ctx_current)->prev;
+    while ((tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL)) {
+        // process_empty_tx calls list_remove + delete_tx_ctx, which frees tmp.
+        // Ensure reading tmp->prev before the call to avoid use-after-free.
+        list_node_t *prev = tmp->prev;
         if (!process_empty_tx((s_tx_ctx *) tmp)) {
             return false;
         }
+        tmp = prev;
     }
     return true;
 }
 
 bool process_empty_txs_after(void) {
-    for (flist_node_t *tmp = ((flist_node_t *) g_tx_ctx_current)->next;
-         (tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL);
-         tmp = tmp->next) {
+    flist_node_t *tmp = ((flist_node_t *) g_tx_ctx_current)->next;
+    while ((tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL)) {
+        // process_empty_tx calls list_remove + delete_tx_ctx, which frees tmp.
+        // Ensure reading tmp->next before the call to avoid use-after-free.
+        flist_node_t *next = tmp->next;
         if (!process_empty_tx((s_tx_ctx *) tmp)) {
             return false;
         }
+        tmp = next;
     }
     return true;
 }
@@ -291,6 +297,15 @@ bool tx_ctx_init(s_calldata *calldata,
         return false;
     }
     list_push_back((list_node_t **) &g_tx_ctx_list, (list_node_t *) node);
+
+    // Ownership of the calldata has been transferred to the node.
+    // Clear g_parked_calldata now so callers cannot double-free it if we return
+    // false below (e.g. when field_table_init fails after the node is in the list
+    // and will be freed by tx_ctx_cleanup via delete_tx_ctx).
+    if (g_parked_calldata == calldata) {
+        g_parked_calldata = NULL;
+    }
+
     if ((appState == APP_STATE_SIGNING_TX) && (node == g_tx_ctx_list)) {
         return field_table_init();
     }
diff --git a/src/features/provide_network_info/network_info.c b/src/features/provide_network_info/network_info.c
@@ -417,11 +417,14 @@ void network_info_cleanup(network_info_t *network) {
         // Remove from list
         flist_remove((flist_node_t **) &g_dynamic_network_list, (flist_node_t *) network, NULL);
 
-        // Free the network info structure
-        APP_MEM_FREE_AND_NULL((void **) &network);
+        // Save address before freeing to check if it's the last added network
+        bool was_last = (g_last_added_network == network);
+
+        // Free the network info structure (local parameter — no need to null it)
+        APP_MEM_FREE((void *) network);
 
         // Reset last added network pointer if it was this network
-        if (g_last_added_network == network) {
+        if (was_last) {
             g_last_added_network = NULL;
             // Also cleanup temporary buffers associated with this network
             clear_icon();

Original file line number	Diff line number	Diff line change
`@@ -165,23 +165,29 @@ static bool process_empty_tx(const s_tx_ctx *tx_ctx) {`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`bool process_empty_txs_before(void) {`
`168`		`- for (list_node_t tmp = ((list_node_t ) g_tx_ctx_current)->prev;`
`169`		`- (tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL);`
`170`		`- tmp = tmp->prev) {`
	`168`	`+ list_node_t tmp = ((list_node_t ) g_tx_ctx_current)->prev;`
	`169`	`+ while ((tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL)) {`
	`170`	`+ // process_empty_tx calls list_remove + delete_tx_ctx, which frees tmp.`
	`171`	`+ // Ensure reading tmp->prev before the call to avoid use-after-free.`
	`172`	`+ list_node_t *prev = tmp->prev;`
`171`	`173`	`if (!process_empty_tx((s_tx_ctx *) tmp)) {`
`172`	`174`	`return false;`
`173`	`175`	`}`
	`176`	`+ tmp = prev;`
`174`	`177`	`}`
`175`	`178`	`return true;`
`176`	`179`	`}`
`177`	`180`
`178`	`181`	`bool process_empty_txs_after(void) {`
`179`		`- for (flist_node_t tmp = ((flist_node_t ) g_tx_ctx_current)->next;`
`180`		`- (tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL);`
`181`		`- tmp = tmp->next) {`
	`182`	`+ flist_node_t tmp = ((flist_node_t ) g_tx_ctx_current)->next;`
	`183`	`+ while ((tmp != NULL) && (((s_tx_ctx *) tmp)->calldata == NULL)) {`
	`184`	`+ // process_empty_tx calls list_remove + delete_tx_ctx, which frees tmp.`
	`185`	`+ // Ensure reading tmp->next before the call to avoid use-after-free.`
	`186`	`+ flist_node_t *next = tmp->next;`
`182`	`187`	`if (!process_empty_tx((s_tx_ctx *) tmp)) {`
`183`	`188`	`return false;`
`184`	`189`	`}`
	`190`	`+ tmp = next;`
`185`	`191`	`}`
`186`	`192`	`return true;`
`187`	`193`	`}`
`@@ -291,6 +297,15 @@ bool tx_ctx_init(s_calldata *calldata,`
`291`	`297`	`return false;`
`292`	`298`	`}`
`293`	`299`	`list_push_back((list_node_t *) &g_tx_ctx_list, (list_node_t ) node);`
	`300`	`+`
	`301`	`+ // Ownership of the calldata has been transferred to the node.`
	`302`	`+ // Clear g_parked_calldata now so callers cannot double-free it if we return`
	`303`	`+ // false below (e.g. when field_table_init fails after the node is in the list`
	`304`	`+ // and will be freed by tx_ctx_cleanup via delete_tx_ctx).`
	`305`	`+ if (g_parked_calldata == calldata) {`
	`306`	`+ g_parked_calldata = NULL;`
	`307`	`+ }`
	`308`	`+`
`294`	`309`	`if ((appState == APP_STATE_SIGNING_TX) && (node == g_tx_ctx_list)) {`
`295`	`310`	`return field_table_init();`
`296`	`311`	`}`