On Tue, Mar 24, 2020 at 04:46:47PM +0100, Jules Maselbas wrote:
> Global variables must be reset to their default value before a new
> dfu_bind is done. Otherwise things wont work and are likely to cause
> a system crash due to a use after free: the global dfu_files was still
> pointing deallocated structure after unbind.
>
> Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx>
> ---
> drivers/usb/gadget/dfu.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/usb/gadget/dfu.c b/drivers/usb/gadget/dfu.c
> index 592586db1..5504f4933 100644
> --- a/drivers/usb/gadget/dfu.c
> +++ b/drivers/usb/gadget/dfu.c
> @@ -277,6 +277,15 @@ dfu_unbind(struct usb_configuration *c, struct usb_function *f)
> {
> struct f_dfu *dfu = func_to_dfu(f);
>
> + memset(&dfu_mtdinfo, 0, sizeof(dfu_mtdinfo));
> + dfu_files = NULL;
> + dfu_file_entry = NULL;
> + dfufd = -EINVAL;
> + dfudetach = 0;
> + dfu_written = 0;
> + dfu_erased = 0;
> + prog_erase = 0;
Ah, ok, here is the missing initialization ;)
Please swap the order of patches 2/3 and 3/3
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
