Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-05-21 04:52:02 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

drivers/usbdev: fix used after free when calling close after uninitialize

Browse Source 
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
This commit is contained in:
dongjiuzhu1
2023-11-29 15:50:32 +08:00
committed by Xiang Xiao
parent 9c55f21a6f
commit 3b39ba72a4
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/usbdev/usbdev_fs.c
+17
View File
@@ -533,6 +533,12 @@ static int usbdev_fs_close(FAR struct file *filep)
{
kmm_free(fs->eps);
fs->eps = NULL;
if (!fs->registered)
{
FAR struct usbdev_fs_driver_s *alloc = container_of(
fs, FAR struct usbdev_fs_driver_s, dev);
kmm_free(alloc);
}
}
}
else
@@ -1411,6 +1417,17 @@ void usbdev_fs_classuninitialize(FAR struct usbdevclass_driver_s *classdev)
}
else
{
FAR struct usbdev_fs_dev_s *fs = &alloc->dev;
int i;
for (i = 0; i < fs->devinfo.nendpoints; i++)
{
if (fs->eps != NULL && fs->eps[i].crefs > 0)
{
return;
}
}
kmm_free(alloc);
}
}