summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2013-03-24 19:40:02 +0100
committerAnton Kochkov <anton.kochkov@gmail.com>2013-03-25 15:34:53 +0100
commit59c020ab15fcc090e0605df1e17f41ffa861b153 (patch)
tree2c95fa243ea9e253ed0fc2c66a02ad46d6ad59c2
parent7a9da71c5f276cdfd986ad81b2b344fc641bd0a7 (diff)
libpayload: fix use-after-free in usb_exit()
The controller's shutdown function free()s the controller structure so we shouldn't access it any more after calling shutdown. As all controllers detach themself, i.e. unchain themself from usb_hcs, just keep iterating over usb_hcs until it's NULL. Change-Id: Ie85caba0f685494c3fe04c550a5a14bc4158a94e Signed-off-by: Mathias Krause <minipli@googlemail.com> Reviewed-on: http://review.coreboot.org/2900 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Tested-by: build bot (Jenkins) Reviewed-by: Anton Kochkov <anton.kochkov@gmail.com>
-rw-r--r--payloads/libpayload/drivers/usb/usb.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/payloads/libpayload/drivers/usb/usb.c b/payloads/libpayload/drivers/usb/usb.c
index 0448d38ad8..23561c40aa 100644
--- a/payloads/libpayload/drivers/usb/usb.c
+++ b/payloads/libpayload/drivers/usb/usb.c
@@ -74,12 +74,8 @@ detach_controller (hci_t *controller)
int
usb_exit (void)
{
- if (usb_hcs == 0)
- return 0;
- hci_t *controller = usb_hcs;
- while (controller != NULL) {
- controller->shutdown(controller);
- controller = controller->next;
+ while (usb_hcs != NULL) {
+ usb_hcs->shutdown(usb_hcs);
}
return 0;
}