• Alan Stern's avatar
    HID: usbhid: fix use-after-free bug · 668160e5
    Alan Stern authored
    This patch (as1592) fixes an obscure problem in the usbhid driver.
    Under some circumstances, a control or interrupt-OUT URB can be
    submitted twice.  This will happen if the first submission fails; the
    queue pointers aren't updated, so the next time the queue is restarted
    the same URB will be submitted again.
    
    The problem is that raw_report gets deallocated during the first
    submission.  The second submission will then dereference and try to
    free an already-freed region of memory.  The patch fixes the problem
    by setting raw_report to NULL when it is deallocated and checking for
    NULL before dereferencing it.
    Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
    CC: Oliver Neukum <oliver@neukum.org>
    Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    668160e5
hid-core.c 43.6 KB