openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-04-28 08:07:03 +00:00
Code Issues Projects Releases Wiki Activity

Prevent use-after-free in uhidev_close().

Browse Source 
Close pipes before freeing transfers, otherwise accessing elements in
pipe->queue, like in usbd_abort_pipe(), will result in a crash.

Problem reported by reyk@, ok visa@
This commit is contained in:
mpi
2020-01-04 11:40:56 +00:00
parent cfe69ab9b6
commit ea9883cc1d
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
sys/dev/usb/uhidev.c
View File

@@ -1,4 +1,4 @@
/* $OpenBSD: uhidev.c,v 1.77 2019/11/13 10:40:03 patrick Exp $ */
/* $OpenBSD: uhidev.c,v 1.78 2020/01/04 11:40:56 mpi Exp $ */
/* $NetBSD: uhidev.c,v 1.14 2003/03/11 16:44:00 augustss Exp $ */
/*
@@ -606,6 +606,19 @@ uhidev_close(struct uhidev *scd)
return;
DPRINTF(("uhidev_close: close pipe\n"));
/* Disable interrupts. */
if (sc->sc_opipe != NULL) {
usbd_abort_pipe(sc->sc_opipe);
usbd_close_pipe(sc->sc_opipe);
sc->sc_opipe = NULL;
}
if (sc->sc_ipipe != NULL) {
usbd_abort_pipe(sc->sc_ipipe);
usbd_close_pipe(sc->sc_ipipe);
sc->sc_ipipe = NULL;
}
if (sc->sc_oxfer != NULL) {
usbd_free_xfer(sc->sc_oxfer);
sc->sc_oxfer = NULL;
@@ -621,19 +634,6 @@ uhidev_close(struct uhidev *scd)
sc->sc_ixfer = NULL;
}
/* Disable interrupts. */
if (sc->sc_opipe != NULL) {
usbd_abort_pipe(sc->sc_opipe);
usbd_close_pipe(sc->sc_opipe);
sc->sc_opipe = NULL;
}
if (sc->sc_ipipe != NULL) {
usbd_abort_pipe(sc->sc_ipipe);
usbd_close_pipe(sc->sc_ipipe);
sc->sc_ipipe = NULL;
}
if (sc->sc_ibuf != NULL) {
free(sc->sc_ibuf, M_USBDEV, sc->sc_isize);
sc->sc_ibuf = NULL;