[Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

Tue, 21 Jan 2014 01:43:44 -0800 

Hi all,

getting a tpriv->urbs NULL pointer causes negative urb_idx and successively an
undefined behavior! This happens when removing a USB device during a transfer
with a chance of ~ 20%.

With the small extension the error can be made visible:

static int handle_bulk_completion(struct usbi_transfer *itransfer,
        struct usbfs_urb *urb)
{
        struct linux_transfer_priv *tpriv =
usbi_transfer_get_os_priv(itransfer);
        struct libusb_transfer *transfer =
USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
        int urb_idx = urb - tpriv->urbs;

        usbi_mutex_lock(&itransfer->lock);
        usbi_dbg("handling completion status %d of bulk urb %d/%d", urb->status,
                urb_idx + 1, tpriv->num_urbs);
+       if (urb_idx < -2)
+       {
+         usbi_dbg("usb_idx lt 0: %d %p %p
%d",urb_idx,urb,tpriv->urbs,tpriv->num_urbs);
+       }


example result:

Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [usbi_handle_transfer_completion] transfer 0x880b114 has callback
0xb7045e40
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [sync_transfer_cb] actual_length=0
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [reap_for_handle] urb type=3 status=-2 transferred=0
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [handle_bulk_completion] handling completion status -2 of bulk urb
-1168226879/4
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [handle_bulk_completion] usb_idx lt 0: -1168226880 0x833fd00 (nil) 4
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.774000] [00007c51] libusbx:
debug [linux_netlink_read_message] netlink hotplug found device busnum: 2,
devaddr: 77, sys_name: 2-1.4, removed: yes

It looks like an inconsistency between the tpriv->urbs pointer and
tpriv->num_urbs. If there are no URBs (null pointer) but the number of urbs is >
0 there is an inconsistency appearing somewhere...

Best regards,

Erik

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
libusbx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusbx-devel

Reply via email to