From ff52577c1b5188a5f25bd7d7d41730bb5de4b688 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Thu, 3 Dec 2020 17:32:04 +0200 Subject: [PATCH] f_rockusb: Avoid use-after-free in the global pointer variable In case of usb_add_function() failure the error path has two issues: - the potentially allocated structure isn't getting freed - the global pointer variable is assigned to garbage Fix the above mentioned issues by freeing memory and assigning NULL. Signed-off-by: Andy Shevchenko --- drivers/usb/gadget/f_rockusb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/f_rockusb.c b/drivers/usb/gadget/f_rockusb.c index 9dd10f9e9a..bd846ce9a7 100644 --- a/drivers/usb/gadget/f_rockusb.c +++ b/drivers/usb/gadget/f_rockusb.c @@ -309,8 +309,9 @@ static int rockusb_add(struct usb_configuration *c) status = usb_add_function(c, &f_rkusb->usb_function); if (status) { + free(f_rkusb->buf_head); free(f_rkusb); - rockusb_func = f_rkusb; + rockusb_func = NULL; } return status; } -- 2.39.5