diff options
author | Mathias Krause <minipli@googlemail.com> | 2013-03-24 19:40:02 +0100 |
---|---|---|
committer | Anton Kochkov <anton.kochkov@gmail.com> | 2013-03-25 15:34:53 +0100 |
commit | 59c020ab15fcc090e0605df1e17f41ffa861b153 (patch) | |
tree | 2c95fa243ea9e253ed0fc2c66a02ad46d6ad59c2 | |
parent | 7a9da71c5f276cdfd986ad81b2b344fc641bd0a7 (diff) |
libpayload: fix use-after-free in usb_exit()
The controller's shutdown function free()s the controller structure so
we shouldn't access it any more after calling shutdown.
As all controllers detach themself, i.e. unchain themself from usb_hcs,
just keep iterating over usb_hcs until it's NULL.
Change-Id: Ie85caba0f685494c3fe04c550a5a14bc4158a94e
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Reviewed-on: http://review.coreboot.org/2900
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Tested-by: build bot (Jenkins)
Reviewed-by: Anton Kochkov <anton.kochkov@gmail.com>
-rw-r--r-- | payloads/libpayload/drivers/usb/usb.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/payloads/libpayload/drivers/usb/usb.c b/payloads/libpayload/drivers/usb/usb.c index 0448d38ad8..23561c40aa 100644 --- a/payloads/libpayload/drivers/usb/usb.c +++ b/payloads/libpayload/drivers/usb/usb.c @@ -74,12 +74,8 @@ detach_controller (hci_t *controller) int usb_exit (void) { - if (usb_hcs == 0) - return 0; - hci_t *controller = usb_hcs; - while (controller != NULL) { - controller->shutdown(controller); - controller = controller->next; + while (usb_hcs != NULL) { + usb_hcs->shutdown(usb_hcs); } return 0; } |