linux/drivers/hid/usbhid
Alan Stern 668160e5a8 HID: usbhid: fix use-after-free bug
This patch (as1592) fixes an obscure problem in the usbhid driver.
Under some circumstances, a control or interrupt-OUT URB can be
submitted twice.  This will happen if the first submission fails; the
queue pointers aren't updated, so the next time the queue is restarted
the same URB will be submitted again.

The problem is that raw_report gets deallocated during the first
submission.  The second submission will then dereference and try to
free an already-freed region of memory.  The patch fixes the problem
by setting raw_report to NULL when it is deallocated and checking for
NULL before dereferencing it.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2012-07-20 11:24:23 +02:00
..
hid-core.c HID: usbhid: fix use-after-free bug 2012-07-20 11:24:23 +02:00
hid-pidff.c
hid-quirks.c HID: add Sennheiser BTD500USB device support 2012-07-09 16:21:32 +02:00
hiddev.c HID: hiddev: Use vzalloc to allocate hiddev_list 2012-04-27 16:03:40 +02:00
Kconfig HID: Fix the generic Kconfig options 2012-06-25 17:25:00 +02:00
Makefile
usbhid.h HID: usbhid: fix error handling of not enough bandwidth 2012-03-30 15:14:27 +02:00
usbkbd.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2012-01-10 10:48:28 -08:00
usbmouse.c USB: usbmouse.c: remove err() usage 2012-04-25 14:48:20 -07:00