From 4c239a9db6774b81bdb7928b2965c49830ea53e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20M=C3=BAdry?= <adam.mudry@espressif.com>
Date: Wed, 10 Jan 2024 14:31:15 +0100
Subject: [PATCH] fix: i2c_eeprom_init use after free when error

---
 .../components/i2c_eeprom/i2c_eeprom.c        | 21 +++++++------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/examples/peripherals/i2c/i2c_eeprom/components/i2c_eeprom/i2c_eeprom.c b/examples/peripherals/i2c/i2c_eeprom/components/i2c_eeprom/i2c_eeprom.c
index 20dc7a0696..628730ed4a 100644
--- a/examples/peripherals/i2c/i2c_eeprom/components/i2c_eeprom/i2c_eeprom.c
+++ b/examples/peripherals/i2c/i2c_eeprom/components/i2c_eeprom/i2c_eeprom.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -38,6 +38,8 @@ esp_err_t i2c_eeprom_init(i2c_master_bus_handle_t bus_handle, const i2c_eeprom_c
     }
 
     out_handle->buffer = (uint8_t*)calloc(1, eeprom_config->addr_wordlen + I2C_EEPROM_MAX_TRANS_UNIT);
+    ESP_GOTO_ON_FALSE(out_handle->buffer, ESP_ERR_NO_MEM, err, TAG, "no memory for i2c eeprom device buffer");
+
     out_handle->addr_wordlen = eeprom_config->addr_wordlen;
     out_handle->write_time_ms = eeprom_config->write_time_ms;
     *eeprom_handle = out_handle;
@@ -45,39 +47,32 @@ esp_err_t i2c_eeprom_init(i2c_master_bus_handle_t bus_handle, const i2c_eeprom_c
     return ESP_OK;
 
 err:
-    if (out_handle) {
-        free(out_handle);
-    }
-    if (out_handle->i2c_dev) {
+    if (out_handle && out_handle->i2c_dev) {
         i2c_master_bus_rm_device(out_handle->i2c_dev);
     }
+    free(out_handle);
     return ret;
 }
 
 esp_err_t i2c_eeprom_write(i2c_eeprom_handle_t eeprom_handle, uint32_t address, const uint8_t *data, uint32_t size)
 {
     ESP_RETURN_ON_FALSE(eeprom_handle, ESP_ERR_NO_MEM, TAG, "no mem for buffer");
-    esp_err_t ret = ESP_OK;
-
     for (int i = 0; i < eeprom_handle->addr_wordlen; i++) {
         eeprom_handle->buffer[i] = (address & (0xff << ((eeprom_handle->addr_wordlen - 1 - i) * 8))) >> ((eeprom_handle->addr_wordlen - 1 - i) * 8);
     }
-
     memcpy(eeprom_handle->buffer + eeprom_handle->addr_wordlen, data, size);
-    ret = i2c_master_transmit(eeprom_handle->i2c_dev, eeprom_handle->buffer, eeprom_handle->addr_wordlen + size, -1);
-    return ret;
+
+    return i2c_master_transmit(eeprom_handle->i2c_dev, eeprom_handle->buffer, eeprom_handle->addr_wordlen + size, -1);
 }
 
 esp_err_t i2c_eeprom_read(i2c_eeprom_handle_t eeprom_handle, uint32_t address, uint8_t *data, uint32_t size)
 {
     ESP_RETURN_ON_FALSE(eeprom_handle, ESP_ERR_NO_MEM, TAG, "no mem for buffer");
-    esp_err_t ret = ESP_OK;
     for (int i = 0; i < eeprom_handle->addr_wordlen; i++) {
         eeprom_handle->buffer[i] = (address & (0xff << ((eeprom_handle->addr_wordlen - 1 - i) * 8))) >> ((eeprom_handle->addr_wordlen - 1 - i) * 8);
     }
 
-    ret = i2c_master_transmit_receive(eeprom_handle->i2c_dev, eeprom_handle->buffer, eeprom_handle->addr_wordlen, data, size, -1);
-    return ret;
+    return i2c_master_transmit_receive(eeprom_handle->i2c_dev, eeprom_handle->buffer, eeprom_handle->addr_wordlen, data, size, -1);
 }
 
 void i2c_eeprom_wait_idle(i2c_eeprom_handle_t eeprom_handle)