From b9f98904ba133f437ced3660b3b9f033f02244ec Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 11 Jun 2015 13:20:09 -0400
Subject: Don't leave in_protocol==1 when shim_verify() isn't enforcing.

Right now if shim_verify() sees secure_mode()==0, it exits with
EFI_SUCCESS, but accidentally leaves in_protocol=1.  This means any
other call will have supressed error/warning messages.

That's wrong, so don't do it.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/shim.c b/shim.c
index d66c549c..99b0d0e2 100644
--- a/shim.c
+++ b/shim.c
@@ -1521,17 +1521,16 @@ error:
  */
 EFI_STATUS shim_verify (void *buffer, UINT32 size)
 {
-	EFI_STATUS status;
+	EFI_STATUS status = EFI_SUCCESS;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
 
 	loader_is_participating = 1;
 	in_protocol = 1;
 
 	if (!secure_mode())
-		return EFI_SUCCESS;
+		goto done;
 
 	status = read_header(buffer, size, &context);
-
 	if (status != EFI_SUCCESS)
 		goto done;
 
-- 
cgit v1.2.3