From f8445d3d9444af2d74de843f77f4d8c71ecf9a93 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Thu, 9 Jul 2020 12:27:17 +0200 Subject: [PATCH] Fixed access to user_data after free (cherry picked from commit 8c859575cfb0fc9e35d7b211993174af444ff780) --- channels/urbdrc/client/libusb/libusb_udevice.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c index 85e15ff..bec9e7c 100644 --- a/channels/urbdrc/client/libusb/libusb_udevice.c +++ b/channels/urbdrc/client/libusb/libusb_udevice.c @@ -222,7 +222,6 @@ static ASYNC_TRANSFER_USER_DATA* async_transfer_user_data_new(IUDEVICE* idev, UI static void async_transfer_user_data_free(ASYNC_TRANSFER_USER_DATA* user_data) { - if (user_data) { Stream_Free(user_data->data, TRUE); @@ -234,8 +233,9 @@ static void func_iso_callback(struct libusb_transfer* transfer) { ASYNC_TRANSFER_USER_DATA* user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data; const UINT32 streamID = stream_id_from_buffer(transfer); + wArrayList* list = user_data->queue; - ArrayList_Lock(user_data->queue); + ArrayList_Lock(list); switch (transfer->status) { case LIBUSB_TRANSFER_COMPLETED: @@ -277,7 +277,7 @@ static void func_iso_callback(struct libusb_transfer* transfer) const UINT32 InterfaceId = ((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev)); - if (list_contains(user_data->queue, streamID)) + if (list_contains(list, streamID)) { if (!user_data->noack) { @@ -289,14 +289,14 @@ static void func_iso_callback(struct libusb_transfer* transfer) user_data->OutputBufferSize); user_data->data = NULL; } - ArrayList_Remove(user_data->queue, transfer); + ArrayList_Remove(list, transfer); } } break; default: break; } - ArrayList_Unlock(user_data->queue); + ArrayList_Unlock(list); } static const LIBUSB_ENDPOINT_DESCEIPTOR* func_get_ep_desc(LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig, @@ -332,6 +332,7 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer) { ASYNC_TRANSFER_USER_DATA* user_data; uint32_t streamID; + wArrayList* list; user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data; if (!user_data) @@ -339,10 +340,11 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer) WLog_ERR(TAG, "[%s]: Invalid transfer->user_data!"); return; } - ArrayList_Lock(user_data->queue); + list = user_data->queue; + ArrayList_Lock(list); streamID = stream_id_from_buffer(transfer); - if (list_contains(user_data->queue, streamID)) + if (list_contains(list, streamID)) { const UINT32 InterfaceId = ((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev)); @@ -353,9 +355,9 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer) transfer->status, user_data->StartFrame, user_data->ErrorCount, transfer->actual_length); user_data->data = NULL; - ArrayList_Remove(user_data->queue, transfer); + ArrayList_Remove(list, transfer); } - ArrayList_Unlock(user_data->queue); + ArrayList_Unlock(list); } static BOOL func_set_usbd_status(URBDRC_PLUGIN* urbdrc, UDEVICE* pdev, UINT32* status, @@ -1592,6 +1594,7 @@ static void request_free(void* value) user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data; async_transfer_user_data_free(user_data); + transfer->user_data = NULL; } static IUDEVICE* udev_init(URBDRC_PLUGIN* urbdrc, libusb_context* context, LIBUSB_DEVICE* device, -- 2.7.4