Fixed access to user_data after free
This commit is contained in:
akallabeth
Armin Novak
parent
54c92e78e6
commit
8c859575cf
@ -222,7 +222,6 @@ static ASYNC_TRANSFER_USER_DATA* async_transfer_user_data_new(IUDEVICE* idev, UI
|
|||||||
|
|
||||||
static void async_transfer_user_data_free(ASYNC_TRANSFER_USER_DATA* user_data)
|
static void async_transfer_user_data_free(ASYNC_TRANSFER_USER_DATA* user_data)
|
||||||
{
|
{
|
||||||
|
|
||||||
if (user_data)
|
if (user_data)
|
||||||
{
|
{
|
||||||
Stream_Free(user_data->data, TRUE);
|
Stream_Free(user_data->data, TRUE);
|
||||||
@ -234,8 +233,9 @@ static void func_iso_callback(struct libusb_transfer* transfer)
|
|||||||
{
|
{
|
||||||
ASYNC_TRANSFER_USER_DATA* user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
ASYNC_TRANSFER_USER_DATA* user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
||||||
const UINT32 streamID = stream_id_from_buffer(transfer);
|
const UINT32 streamID = stream_id_from_buffer(transfer);
|
||||||
|
wArrayList* list = user_data->queue;
|
||||||
|
|
||||||
ArrayList_Lock(user_data->queue);
|
ArrayList_Lock(list);
|
||||||
switch (transfer->status)
|
switch (transfer->status)
|
||||||
{
|
{
|
||||||
case LIBUSB_TRANSFER_COMPLETED:
|
case LIBUSB_TRANSFER_COMPLETED:
|
||||||
@ -277,7 +277,7 @@ static void func_iso_callback(struct libusb_transfer* transfer)
|
|||||||
const UINT32 InterfaceId =
|
const UINT32 InterfaceId =
|
||||||
((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev));
|
((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev));
|
||||||
|
|
||||||
if (list_contains(user_data->queue, streamID))
|
if (list_contains(list, streamID))
|
||||||
{
|
{
|
||||||
if (!user_data->noack)
|
if (!user_data->noack)
|
||||||
{
|
{
|
||||||
@ -289,14 +289,14 @@ static void func_iso_callback(struct libusb_transfer* transfer)
|
|||||||
user_data->OutputBufferSize);
|
user_data->OutputBufferSize);
|
||||||
user_data->data = NULL;
|
user_data->data = NULL;
|
||||||
}
|
}
|
||||||
ArrayList_Remove(user_data->queue, transfer);
|
ArrayList_Remove(list, transfer);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ArrayList_Unlock(user_data->queue);
|
ArrayList_Unlock(list);
|
||||||
}
|
}
|
||||||
|
|
||||||
static const LIBUSB_ENDPOINT_DESCEIPTOR* func_get_ep_desc(LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig,
|
static const LIBUSB_ENDPOINT_DESCEIPTOR* func_get_ep_desc(LIBUSB_CONFIG_DESCRIPTOR* LibusbConfig,
|
||||||
@ -332,6 +332,7 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer)
|
|||||||
{
|
{
|
||||||
ASYNC_TRANSFER_USER_DATA* user_data;
|
ASYNC_TRANSFER_USER_DATA* user_data;
|
||||||
uint32_t streamID;
|
uint32_t streamID;
|
||||||
|
wArrayList* list;
|
||||||
|
|
||||||
user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
||||||
if (!user_data)
|
if (!user_data)
|
||||||
@ -339,10 +340,11 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer)
|
|||||||
WLog_ERR(TAG, "[%s]: Invalid transfer->user_data!");
|
WLog_ERR(TAG, "[%s]: Invalid transfer->user_data!");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
ArrayList_Lock(user_data->queue);
|
list = user_data->queue;
|
||||||
|
ArrayList_Lock(list);
|
||||||
streamID = stream_id_from_buffer(transfer);
|
streamID = stream_id_from_buffer(transfer);
|
||||||
|
|
||||||
if (list_contains(user_data->queue, streamID))
|
if (list_contains(list, streamID))
|
||||||
{
|
{
|
||||||
const UINT32 InterfaceId =
|
const UINT32 InterfaceId =
|
||||||
((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev));
|
((STREAM_ID_PROXY << 30) | user_data->idev->get_ReqCompletion(user_data->idev));
|
||||||
@ -353,9 +355,9 @@ static void func_bulk_transfer_cb(struct libusb_transfer* transfer)
|
|||||||
transfer->status, user_data->StartFrame, user_data->ErrorCount,
|
transfer->status, user_data->StartFrame, user_data->ErrorCount,
|
||||||
transfer->actual_length);
|
transfer->actual_length);
|
||||||
user_data->data = NULL;
|
user_data->data = NULL;
|
||||||
ArrayList_Remove(user_data->queue, transfer);
|
ArrayList_Remove(list, transfer);
|
||||||
}
|
}
|
||||||
ArrayList_Unlock(user_data->queue);
|
ArrayList_Unlock(list);
|
||||||
}
|
}
|
||||||
|
|
||||||
static BOOL func_set_usbd_status(URBDRC_PLUGIN* urbdrc, UDEVICE* pdev, UINT32* status,
|
static BOOL func_set_usbd_status(URBDRC_PLUGIN* urbdrc, UDEVICE* pdev, UINT32* status,
|
||||||
@ -1591,6 +1593,7 @@ static void request_free(void* value)
|
|||||||
|
|
||||||
user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
user_data = (ASYNC_TRANSFER_USER_DATA*)transfer->user_data;
|
||||||
async_transfer_user_data_free(user_data);
|
async_transfer_user_data_free(user_data);
|
||||||
|
transfer->user_data = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
static IUDEVICE* udev_init(URBDRC_PLUGIN* urbdrc, libusb_context* context, LIBUSB_DEVICE* device,
|
static IUDEVICE* udev_init(URBDRC_PLUGIN* urbdrc, libusb_context* context, LIBUSB_DEVICE* device,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user