From 59c020ab15fcc090e0605df1e17f41ffa861b153 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Sun, 24 Mar 2013 19:40:02 +0100 Subject: [PATCH] libpayload: fix use-after-free in usb_exit() The controller's shutdown function free()s the controller structure so we shouldn't access it any more after calling shutdown. As all controllers detach themself, i.e. unchain themself from usb_hcs, just keep iterating over usb_hcs until it's NULL. Change-Id: Ie85caba0f685494c3fe04c550a5a14bc4158a94e Signed-off-by: Mathias Krause Reviewed-on: http://review.coreboot.org/2900 Reviewed-by: Paul Menzel Tested-by: build bot (Jenkins) Reviewed-by: Anton Kochkov --- payloads/libpayload/drivers/usb/usb.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/payloads/libpayload/drivers/usb/usb.c b/payloads/libpayload/drivers/usb/usb.c index 0448d38ad8..23561c40aa 100644 --- a/payloads/libpayload/drivers/usb/usb.c +++ b/payloads/libpayload/drivers/usb/usb.c @@ -74,12 +74,8 @@ detach_controller (hci_t *controller) int usb_exit (void) { - if (usb_hcs == 0) - return 0; - hci_t *controller = usb_hcs; - while (controller != NULL) { - controller->shutdown(controller); - controller = controller->next; + while (usb_hcs != NULL) { + usb_hcs->shutdown(usb_hcs); } return 0; }