usb/150546: libusb(3) libusb_control_transfer() prototype is incorrect
>Number: 150546 >Category: usb >Synopsis: libusb(3) libusb_control_transfer() prototype is incorrect >Confidential: no >Severity: non-critical >Priority: low >Responsible:freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 14 01:00:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Robert Jenssen >Release:8-Stable >Organization: IPS radio and space services >Environment: FreeBSD 8.1-STABLE FreeBSD 8.1-STABLE #0: Thu Sep 9 09:41:10 EST 2010 r...@:/usr/obj/usr/src/sys/ECLIPSE i386 >Description: In the libusb(3) man page the prototype of libusb_control_transfer is: int libusb_control_transfer(libusb_device_handle *devh, uint8_t bmRequestType, uint16_t wIndex, unsigned char *data, uint16_t wLength, unsigned int timeout) In /usr/include/libusb.h the prototype of libusb_control_transfer is: int libusb_control_transfer(libusb_device_handle * devh, uint8_t bmRequestType, uint8_t bRequest, uint16_t wValue, uint16_t wIndex, uint8_t *data, uint16_t wLength, uint32_t timeout); >How-To-Repeat: >Fix: diff -C 3 libusb.3.orig libusb.3 *** libusb.3.orig Tue Sep 14 10:48:23 2010 --- libusb.3Tue Sep 14 10:48:51 2010 *** *** 337,343 . .Pp .Ft int ! .Fn libusb_control_transfer "libusb_device_handle *devh" "uint8_t bmRequestType" "uint16_t wIndex" "unsigned char *data" "uint16_t wLength" "unsigned int timeout" Perform a USB control transfer. Returns 0 on success, LIBUSB_ERROR_TIMEOUT if the transfer timeout, LIBUSB_ERROR_PIPE if the control request was not supported, LIBUSB_ERROR_NO_DEVICE if the device has been disconnected and --- 337,343 . .Pp .Ft int ! .Fn libusb_control_transfer "libusb_device_handle *devh" "uint8_t bmRequestType" "uint8_t bRequest" "uint16_t wValue" "uint16_t wIndex" "unsigned char *data" "uint16_t wLength" "unsigned int timeout" Perform a USB control transfer. Returns 0 on success, LIBUSB_ERROR_TIMEOUT if the transfer timeout, LIBUSB_ERROR_PIPE if the control request was not supported, LIBUSB_ERROR_NO_DEVICE if the device has been disconnected and >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-usb@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-usb To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
Re:usb/140325 Missing/incorrect initialisation and memory leak in libusb10/libusb20
The following reply was made to PR usb/140325; it has been noted by GNATS. From: Robert Jenssen To: bug-follo...@freebsd.org Cc: Hans Petter Selasky Subject: Re:usb/140325 Missing/incorrect initialisation and memory leak in libusb10/libusb20 Date: Wed, 9 Dec 2009 23:03:15 +1100 Just a nudge to say that libusb10.c, libusb10.h, libusb20.c and libusb20.h in 8.0-STABLE still need to be updated from Perforce. This bug could then be closed. Regards, Rob Jenssen -- Robert Jenssen ___ freebsd-usb@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-usb To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
Re: usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20
The following reply was made to PR usb/140325; it has been noted by GNATS.
From: Robert Jenssen
To:
Cc:
Subject: Re: usb/140325: Missing/incorrect initialisation and memory leak in
libusb10/libusb20
Date: Fri, 6 Nov 2009 14:57:00 +1100
--_813ea73d-cf99-4614-b03d-4bb9d22d7898_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi=2C
Sorry for the noise. In my last email I missed out a memory leak:
6. In libusb10.c=2C libusb_close()=2C pdev isn't freed. Here is a diff:
*** libusb10.c2009-11-06 13:30:51.0 +1100
--- libusb10.c.orig2009-08-03 18:13:06.0 +1000
***
*** 416=2C422
libusb10_remove_pollfd(ctx=2C &dev->dev_poll)=3B
=20
libusb20_dev_close(pdev)=3B
- free(pdev)=3B
libusb_unref_device(dev)=3B
=20
/* make sure our event loop detects the closed device */
--- 416=2C421
--=20
Robert Jenssen
=20
_
Looking to move this spring? With all the lastest places=2C searching has n=
ever been easier. Look now!
http://clk.atdmt.com/NMN/go/157631292/direct/01/=
--_813ea73d-cf99-4614-b03d-4bb9d22d7898_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
-->
Hi=2CSorry for the noise. In my last email I missed out a memory le=
ak:6. In libusb10.c=2C libusb_close()=2C pdev isn't freed. Here is =
a diff:*** libusb10.c =3B =3B =3B2009-11-06 13:30:51.0=
+1100--- libusb10.c.orig =3B =3B =3B2009-08-03 18:13:=
06.0 +1000** 416=2C422 =3B &nb=
sp=3B =3B =3Blibusb10_remove_pollfd(ctx=2C &=3Bdev->=3Bdev_po=
ll)=3B =3B =3B =3B =3B =3Blibusb20_dev_close=
(pdev)=3B- =3B =3B free(pdev)=3B =3B =3B =3B &=
nbsp=3Blibusb_unref_device(dev)=3B =3B =3B =3B =
=3B =3B/* make sure our event loop detects the closed device */---=
416=2C421 -- Robert Jenssen <=3brobertjens...@hotmail.co=
m>=3B With all
the lastest places=2C searc=
hing has never been easier. Look now! http://clk.atdmt.com/NMN/g=
o/157631292/direct/01/' target=3D'_new'>Looking to move this spring?
=
--_813ea73d-cf99-4614-b03d-4bb9d22d7898_--
___
freebsd-usb@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
Re: usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20
The following reply was made to PR usb/140325; it has been noted by GNATS.
From: Robert Jenssen
To: bug-follo...@freebsd.org, robertjens...@hotmail.com
Cc:
Subject: Re: usb/140325: Missing/incorrect initialisation and memory leak in
libusb10/libusb20
Date: Fri, 6 Nov 2009 14:42:13 +1100
Hi,
Regarding my bug report usb/140325: Missing/incorrect initialisation and
memory leak in libusb10/libusb20. I revised my simple test to:
#include
#include
int
main(void)
{
libusb_context *context;
struct libusb_device **devs;
libusb_device_handle *handle;
struct libusb_config_descriptor *config;
struct libusb_device_descriptor device_desc;
int bytes;
#define STRLEN 128
unsigned char str[STRLEN];
int transferred;
libusb_init(&context);
libusb_get_device_list(context, &devs);
libusb_get_active_config_descriptor(devs[0], &config);
libusb_free_config_descriptor(config);
libusb_get_device_descriptor(devs[0], &device_desc);
libusb_open(devs[0], &handle);
libusb_get_string_descriptor_ascii(handle,device_desc.iProduct,str,STRLEN);
libusb_claim_interface(handle, 1);
libusb_bulk_transfer(handle, 1, str, STRLEN, &transferred, 0);
libusb_release_interface(handle, 1);
libusb_close(handle);
libusb_free_device_list(devs, 1);
libusb_exit(context);
return 0;
}
and found two additional problems:
4. A jump on uninitialised occurs at libusb20.c:658 in
libusb20_dev_req_string_sync():
req.wLength = *(uint8_t *)ptr; /* bytes */
if (req.wLength > len) {
To fix, zero the upper byte with:
memset(ptr, 0, len);
5. A memory leak occurs for devs[0] in the above test. devs[0]->refcnt is
incremented to 3 during libusb_bulk_transfer() but not decremented on exit from
that function. Consequently, devs[0] is not freed in libusb_free_device_list().
I couldn't see a quick fix for this and it's a minor memory leak (44 bytes) so
I will leave it for an expert.
Regards,
Rob
--
Robert Jenssen
___
freebsd-usb@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20
>Number: 140325
>Category: usb
>Synopsis: Missing/incorrect initialisation and memory leak in
>libusb10/libusb20
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible:freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 06 00:30:07 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Robert Jenssen
>Release:8.0RC2
>Organization:
>Environment:
FreeBSD kraken 8.0-RC2 FreeBSD 8.0-RC2 #0: Fri Nov 6 02:43:24 EST 2009
r...@kraken:/usr/obj/usr/src/sys/KRAKEN i386
>Description:
I was getting some weird values for usb configuration descriptor extra length.
Valgrind is a wonderful tool recently ported to FreeBSD by s...@freebsd.org.
Using valgrind I found the following problems (fixed in the attached patch):
1. In libusb10_desc.c, libusb_get_config_descriptor(), at line 162:
pconfd->interface = (libusb_interface *) (pconfd +
sizeof(libusb_config_descriptor));
should be:
pconfd->interface = (libusb_interface *) (pconfd + 1);
This problem causes illegal writes past the end of pconfd.
2. In libusb20_ugen20.c , ugen20_get_config_desc_full(), cdesc and ptr are not
initialised. This problem causes branches on uninitialised values.
3. In libusb20.c, libusb20_be_free(), pbe is not free'd. This problem causes a
minor memory leak.
>How-To-Repeat:
Compile the following test, link with a debug version of libusb.a and run
valgrind.
#include
int main(void) {
libusb_context *context;
struct libusb_device **devs;
struct libusb_config_descriptor *config;
libusb_init(&context);
libusb_get_device_list(context, &devs);
libusb_get_active_config_descriptor(devs[0], &config);
libusb_free_config_descriptor(config);
libusb_free_device_list(devs, 1);
libusb_exit(context);
return 0;
}
>Fix:
Apply the attached patch in /usr/src/lib/libusb
Patch attached with submission follows:
*** libusb10_desc.c 2009-11-06 10:35:00.0 +1100
--- libusb10_desc.c.orig2009-08-03 18:13:06.0 +1000
***
*** 116,133
nep = 0;
nextra = pconf->extra.len;
- #define NEXTRA_ALIGN_TO(n) (nextra=((nextra+n)/n)*n)
for (i = 0; i < nif; i++) {
pinf = pconf->interface + i;
nextra += pinf->extra.len;
- NEXTRA_ALIGN_TO(16);
nep += pinf->num_endpoints;
k = pinf->num_endpoints;
pend = pinf->endpoints;
while (k--) {
nextra += pend->extra.len;
- NEXTRA_ALIGN_TO(16);
pend++;
}
--- 116,130
***
*** 136,148
pinf = pinf->altsetting;
while (j--) {
nextra += pinf->extra.len;
- NEXTRA_ALIGN_TO(16);
nep += pinf->num_endpoints;
k = pinf->num_endpoints;
pend = pinf->endpoints;
while (k--) {
nextra += pend->extra.len;
- NEXTRA_ALIGN_TO(16);
pend++;
}
pinf++;
--- 133,143
***
*** 155,163
(nalt * sizeof(libusb_interface_descriptor)) +
(nep * sizeof(libusb_endpoint_descriptor));
- /* Align nextra */
- NEXTRA_ALIGN_TO(16);
-
pconfd = malloc(nextra);
if (pconfd == NULL) {
--- 150,155
***
*** 167,173
/* make sure memory is clean */
memset(pconfd, 0, nextra);
! pconfd->interface = (libusb_interface *) (pconfd + 1);
ifd = (libusb_interface_descriptor *) (pconfd->interface + nif);
endd = (libusb_endpoint_descriptor *) (ifd + nalt);
--- 159,166
/* make sure memory is clean */
memset(pconfd, 0, nextra);
! pconfd->interface = (libusb_interface *) (pconfd +
! sizeof(libusb_config_descriptor));
ifd = (libusb_interface_descriptor *) (pconfd->interface + nif);
endd = (libusb_endpoint_descriptor *) (ifd + nalt);
***
*** 194,200
for (i = 0; i < nif; i++) {
- pconfd->interface[i].altsetting = 0;
pconfd->interface[i].altsetting = ifd;
ifd->endpoint = endd;
endd += pconf->interface[i].num_endpoints;
--- 187,192
*** libusb20.c 2009-11-06 10:35:00.0 +1100
--- libusb20.c.orig 2009-08-03 18:13:06.0 +1000
***
*** 1093,1100
if (pbe->methods->exit_backend) {
pbe->methods->exit_backend(pbe);
}
- /* free
usb/140259: libusb-1.0 portability/compatibility nits
>Number: 140259 >Category: usb >Synopsis: libusb-1.0 portability/compatibility nits >Confidential: no >Severity: non-critical >Priority: low >Responsible:freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Nov 04 01:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Robert Jenssen >Release:8.0RC2 >Organization: >Environment: FreeBSD kraken 8.0-RC2 FreeBSD 8.0-RC2 #0: Sat Oct 31 05:40:55 EST 2009 r...@kraken:/usr/obj/usr/src/sys/KRAKEN i386 >Description: Thankyou for porting libusb-1.0 to the FreeBSD kernel. Being new to usb programming, I tried to compile the non-trivial example program, dpfp.c, provided with the libusb-1.0.3.tar.bz2 tarball available from "http://sourceforge.net/projects/libusb/files/libusb-1.0/libusb-1.0.3/libusb-1.0.3.tar.bz2/download"; . I found two problems 1. FreeBSD libusb10 is not quite portable. Here is a diff required to get dpfp.c to compile: [robj examples]diff dpfp.c dpfp.c.orig 30,32c30 < #include < < #define LIBUSB_CONTROL_SETUP_SIZE (sizeof(struct libusb_control_setup)) --- > #include 62c60 < static libusb_device_handle *devh = NULL; --- > static struct libusb_device_handle *devh = NULL; 2. Some libusb-1.0 functions are not implemented. Here is an attempt to link dpfp.c: [robj examples]gcc -O0 -g -o dpfp -lusb dpfp.c /var/tmp//ccPc8n2t.o(.text+0x4dc): In function `set_mode_async': /home/robj/TMP/libusb-1.0.3/examples/dpfp.c:182: undefined reference to `libusb_fill_control_setup' /var/tmp//ccPc8n2t.o(.text+0x51c):/home/robj/TMP/libusb-1.0.3/examples/dpfp.c:184: undefined reference to `libusb_fill_control_transfer' /var/tmp//ccPc8n2t.o(.text+0xbe5): In function `alloc_transfers': /home/robj/TMP/libusb-1.0.3/examples/dpfp.c:406: undefined reference to `libusb_fill_bulk_transfer' /var/tmp//ccPc8n2t.o(.text+0xc2c):/home/robj/TMP/libusb-1.0.3/examples/dpfp.c:408: undefined reference to `libusb_fill_interrupt_transfer' >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-usb@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-usb To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
