aboutsummaryrefslogtreecommitdiff
path: root/net/unix/diag.c
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2012-07-19 16:08:21 -0400
committerJiri Kosina <jkosina@suse.cz>2012-07-20 11:24:23 +0200
commit668160e5a80536251b4931a332dfe34d6ec2aeb7 (patch)
tree326dff1f73e54f8f57a49b090a9f0411cd22dfdb /net/unix/diag.c
parent61c901c56905256a4a4d7c2af92d66200a2ee7f2 (diff)
HID: usbhid: fix use-after-free bug
This patch (as1592) fixes an obscure problem in the usbhid driver. Under some circumstances, a control or interrupt-OUT URB can be submitted twice. This will happen if the first submission fails; the queue pointers aren't updated, so the next time the queue is restarted the same URB will be submitted again. The problem is that raw_report gets deallocated during the first submission. The second submission will then dereference and try to free an already-freed region of memory. The patch fixes the problem by setting raw_report to NULL when it is deallocated and checking for NULL before dereferencing it. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Oliver Neukum <oliver@neukum.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'net/unix/diag.c')
0 files changed, 0 insertions, 0 deletions