diff options
author | Artem Egorkine <arteme@gmail.com> | 2008-06-17 18:27:38 -0500 |
---|---|---|
committer | Daniel Drake <dsd@gentoo.org> | 2008-06-17 18:27:38 -0500 |
commit | 546dee211eefbdd280fd1fc9dee84a9b52105078 (patch) | |
tree | db340d74af0df94849c2548ab3fe026eb3f2ce64 | |
parent | 947ba8056456a5215724fb502e3e09d50016f699 (diff) | |
download | libusb-546dee211eefbdd280fd1fc9dee84a9b52105078.tar.gz |
a fix for SIGSEGV in handle_bulk_completion()
We cannot dereference tpriv after calling
usbi_handle_transfer_cancellation() because that function may invoke
the user-supplied callback which may free the transfer.
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | libusb/os/linux_usbfs.c | 2 |
2 files changed, 2 insertions, 1 deletions
@@ -2,6 +2,7 @@ Copyright (C) 2007-2008 Daniel Drake <dsd@gentoo.org> Copyright (c) 2001 Johannes Erdfelt <johannes@erdfelt.com> Other contributors: +Artem Egorkine David Engraf Rob Walker Vasily Khoruzhick diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c index 2e9e0e2..95c3e25 100644 --- a/libusb/os/linux_usbfs.c +++ b/libusb/os/linux_usbfs.c @@ -1577,8 +1577,8 @@ static int handle_bulk_completion(struct usbi_transfer *itransfer, if (tpriv->awaiting_reap == 0 && tpriv->awaiting_discard == 0) { usbi_dbg("CANCEL: last URB handled, reporting"); if (tpriv->reap_action == CANCELLED) { - usbi_handle_transfer_cancellation(itransfer); free(tpriv->urbs); + usbi_handle_transfer_cancellation(itransfer); return 0; } else if (tpriv->reap_action == COMPLETED_EARLY) { goto out; |