Global variables must be reset to their default value before a new
dfu_bind is done. Otherwise things wont work and are likely to cause
a system crash due to a use after free: the global dfu_files was still
pointing deallocated structure after unbind.
Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx>
---
drivers/usb/gadget/dfu.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/usb/gadget/dfu.c b/drivers/usb/gadget/dfu.c
index 592586db1..5504f4933 100644
--- a/drivers/usb/gadget/dfu.c
+++ b/drivers/usb/gadget/dfu.c
@@ -277,6 +277,15 @@ dfu_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_dfu *dfu = func_to_dfu(f);
+ memset(&dfu_mtdinfo, 0, sizeof(dfu_mtdinfo));
+ dfu_files = NULL;
+ dfu_file_entry = NULL;
+ dfufd = -EINVAL;
+ dfudetach = 0;
+ dfu_written = 0;
+ dfu_erased = 0;
+ prog_erase = 0;
+
usb_free_all_descriptors(f);
dma_free(dfu->dnreq->buf);
--
2.21.0.196.g041f5ea
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
