Skip to content

Commit 493ddef

Browse files
tianhuasacrnsi
tianhuas
authored and
acrnsi
committed
dm: fix pointer not checked for null before use
this patch fix null pointer access issues. Tracked-On: #3434 Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com> Reviewed-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
1 parent d4f44bc commit 493ddef

File tree

2 files changed

+7
-2
lines changed

2 files changed

+7
-2
lines changed

devicemodel/hw/pci/xhci.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2923,7 +2923,7 @@ pci_xhci_handle_transfer(struct pci_xhci_vdev *xdev,
29232923
trb->dwTrb2 & 0x1FFFF, (void *)addr,
29242924
ccs);
29252925

2926-
if (trb->dwTrb3 & XHCI_TRB_3_CHAIN_BIT)
2926+
if (xfer_block && (trb->dwTrb3 & XHCI_TRB_3_CHAIN_BIT))
29272927
xfer_block->chained = 1;
29282928
break;
29292929

devicemodel/hw/platform/usb_pmapper.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -181,6 +181,10 @@ usb_dev_comp_cb(struct libusb_transfer *trn)
181181

182182
/* async request */
183183
r = trn->user_data;
184+
if (!r) {
185+
UPRINTF(LFTL, "error: user context data not found on USB transfer\r\n");
186+
goto free_transfer;
187+
}
184188
info = &r->udev->info;
185189

186190
/* async transfer */
@@ -311,13 +315,14 @@ usb_dev_comp_cb(struct libusb_transfer *trn)
311315
cancel_out:
312316
/* unlock and release memory */
313317
g_ctx.unlock_ep_cb(xfer->dev, &xfer->epid);
314-
libusb_free_transfer(trn);
315318

316319
if (r && r->buffer)
317320
free(r->buffer);
318321

319322
xfer->requests[r->blk_start] = NULL;
320323
free(r);
324+
free_transfer:
325+
libusb_free_transfer(trn);
321326
}
322327

323328
static struct usb_dev_req *

0 commit comments

Comments
 (0)