When a transfer is submitted, the device is referenced in
libusb_submit_transfer()
and unreferenced in usbi_handle_transfer_completion(). This transfer could
potentially
be freed by any user callback, or is freed by libusb if
LIBUSB_TRANSFER_FREE_TRANSFER
is set in the flags. The call to unreference the device uses this potentially
freed
memory. Reading the device handle beforehand will prevent this disaster.
---
libusb/io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libusb/io.c b/libusb/io.c
index 64712c2..d766ccf 100644
--- a/libusb/io.c
+++ b/libusb/io.c
@@ -1524,6 +1524,7 @@ int usbi_handle_transfer_completion(struct usbi_transfer
*itransfer,
struct libusb_transfer *transfer =
USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
struct libusb_context *ctx = TRANSFER_CTX(transfer);
+ struct libusb_device_handle *handle = transfer->dev_handle;
uint8_t flags;
int r = 0;
@@ -1564,7 +1565,7 @@ int usbi_handle_transfer_completion(struct usbi_transfer
*itransfer,
usbi_mutex_lock(&ctx->event_waiters_lock);
usbi_cond_broadcast(&ctx->event_waiters_cond);
usbi_mutex_unlock(&ctx->event_waiters_lock);
- libusb_unref_device(transfer->dev_handle->dev);
+ libusb_unref_device(handle->dev);
return 0;
}
--
1.8.1.1
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
libusbx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusbx-devel
