diff options
| author |   mpi <mpi@openbsd.org> | 2016-09-02 09:23:56 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2016-09-02 09:23:56 +0000 |
| commit | f46c84480a7b1364b701bdb600c56c37637c2e63 (patch) | |
| tree | 6fad6f16f35ec266d281bfd5ebc79fff5d919ab2 | |
| parent | Prevent a NULL dereference, triggerable with a crafted configuration (diff) | |
| download | wireguard-openbsd-f46c84480a7b1364b701bdb600c56c37637c2e63.tar.xz wireguard-openbsd-f46c84480a7b1364b701bdb600c56c37637c2e63.zip | |
Do not free the configuration descriptor without setting ``dev->cdesc''
to NULL.
Prevent a use after free triggerable with invalid interface descriptor.
Found with umap2 and a facedancer21.
| -rw-r--r-- | sys/dev/usb/usb_subr.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/sys/dev/usb/usb_subr.c b/sys/dev/usb/usb_subr.c index 422aa29374b..53b0776df90 100644 --- a/sys/dev/usb/usb_subr.c +++ b/sys/dev/usb/usb_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usb_subr.c,v 1.124 2016/09/02 09:20:00 mpi Exp $ */ +/* $OpenBSD: usb_subr.c,v 1.125 2016/09/02 09:23:56 mpi Exp $ */ /* $NetBSD: usb_subr.c,v 1.103 2003/01/10 11:19:13 augustss Exp $ */ /* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */ @@ -781,11 +781,8 @@ usbd_set_config_index(struct usbd_device *dev, int index, int msg) dev->config = cdp->bConfigurationValue; for (ifcidx = 0; ifcidx < nifc; ifcidx++) { err = usbd_fill_iface_data(dev, ifcidx, 0); - if (err) { - while (--ifcidx >= 0) - usbd_free_iface_data(dev, ifcidx); - goto bad; - } + if (err) + return (err); } return (USBD_NORMAL_COMPLETION); |