a fix for SIGSEGV in handle_bulk_completion()

We cannot dereference tpriv after calling
usbi_handle_transfer_cancellation() because that function may invoke
the user-supplied callback which may free the transfer.

diff --git a/AUTHORS b/AUTHORS
index 6e17e37..86d9a3f 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -2,6 +2,7 @@ Copyright (C) 2007-2008 Daniel Drake <dsd@gentoo.org>
 Copyright (c) 2001 Johannes Erdfelt <johannes@erdfelt.com>
 
 Other contributors:
+Artem Egorkine
 David Engraf
 Rob Walker
 Vasily Khoruzhick

diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
index 2e9e0e2..95c3e25 100644 (file)
--- a/libusb/os/linux_usbfs.c
+++ b/libusb/os/linux_usbfs.c
@@ -1577,8 +1577,8 @@ static int handle_bulk_completion(struct usbi_transfer *itransfer,
                if (tpriv->awaiting_reap == 0 && tpriv->awaiting_discard == 0) {
                        usbi_dbg("CANCEL: last URB handled, reporting");
                        if (tpriv->reap_action == CANCELLED) {
-                               usbi_handle_transfer_cancellation(itransfer);
                                free(tpriv->urbs);
+                               usbi_handle_transfer_cancellation(itransfer);
                                return 0;
                        } else if (tpriv->reap_action == COMPLETED_EARLY) {
                                goto out;