projects / firefly-linux-kernel-4.4.55.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 61c901c) | patch
HID: usbhid: fix use-after-free bug
authorAlan Stern <stern@rowland.harvard.edu>
Thu, 19 Jul 2012 20:08:21 +0000 (16:08 -0400)
committerJiri Kosina <jkosina@suse.cz>
Fri, 20 Jul 2012 09:24:23 +0000 (11:24 +0200)
commit668160e5a80536251b4931a332dfe34d6ec2aeb7
tree326dff1f73e54f8f57a49b090a9f0411cd22dfdbtree | snapshot
parent61c901c56905256a4a4d7c2af92d66200a2ee7f2commit | diff
HID: usbhid: fix use-after-free bug

This patch (as1592) fixes an obscure problem in the usbhid driver.
Under some circumstances, a control or interrupt-OUT URB can be
submitted twice.  This will happen if the first submission fails; the
queue pointers aren't updated, so the next time the queue is restarted
the same URB will be submitted again.

The problem is that raw_report gets deallocated during the first
submission.  The second submission will then dereference and try to
free an already-freed region of memory.  The patch fixes the problem
by setting raw_report to NULL when it is deallocated and checking for
NULL before dereferencing it.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/usbhid/hid-core.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.