review.tizen.org Git - platform/upstream/libusb.git/commit

author	Toby Gray <toby.gray@realvnc.com>
	Thu, 11 Apr 2013 12:40:31 +0000 (13:40 +0100)
committer	Pete Batard <pete@akeo.ie>
	Thu, 11 Apr 2013 22:22:19 +0000 (23:22 +0100)
commit	e68c66679293a86da62a2636df54b43bbde1daa4
tree	0f5ba82c0ffb0f563747db92a66751298c243de9	tree \| snapshot
parent	a66cfa05fe384e2aa09ceb1660e83d51adbc4cd3	commit \| diff

Windows: Correctly clear backend transfer private information

* Without this fix if a transfer is reused then there is a period of
  time between it being adding to the flying transfer list and
  submitted where the fd value will be the old fd value.
* If this occurs at the same time as all of the following conditions
  then the incorrect transfer will be handled as having completed:
* The old fd value in the reused transfer has been recycled for a
  currently pending transfer.
* This other pending transfer has a later timeout than the reused
  transfer (so therefore comes later in the flying transfer list).
* The other pending transfer completes, therefore signalling the fd.

As the flying transfer list is examined in order when handling events,
the resubmitted transfer with the old fd value will be considered as
completed. This will generally cause a NULL pointer dereference as the
OVERLAPPED structure was already freed.

Also see:
http://libusbx.1081486.n5.nabble.com/Libusbx-devel-PATCH-Fix-NULL-pointer-dereference-in-Windows-and-WinCE-backends-when-reusing-transfers-tt1041.html

libusb/os/poll_windows.c		diff \| blob \| history
libusb/os/poll_windows.h		diff \| blob \| history
libusb/os/wince_usb.c		diff \| blob \| history
libusb/os/windows_usb.c		diff \| blob \| history
libusb/version_nano.h		diff \| blob \| history