Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 6 Nov 2009 04:00:14 GMT
From:      Robert Jenssen <robertjenssen@ozemail.com.au>
To:        freebsd-usb@FreeBSD.org
Subject:   Re: usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20
Message-ID:  <200911060400.nA640E7C058546@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR usb/140325; it has been noted by GNATS.

From: Robert Jenssen <robertjenssen@ozemail.com.au>
To: bug-followup@FreeBSD.org, robertjenssen@hotmail.com
Cc:  
Subject: Re: usb/140325: Missing/incorrect initialisation and memory leak in
 libusb10/libusb20
Date: Fri, 6 Nov 2009 14:42:13 +1100

 Hi,
 
 Regarding my bug report usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20. I revised my simple test to:
 
 #include <stdio.h>
 #include <libusb.h>
 
 int
 main(void)
 {
   libusb_context *context;
   struct libusb_device **devs;
   libusb_device_handle *handle;
   struct libusb_config_descriptor *config;
   struct libusb_device_descriptor device_desc;
   int bytes;
 #define STRLEN 128
   unsigned char str[STRLEN];
   int transferred;
   
   libusb_init(&context);
   libusb_get_device_list(context, &devs);
   libusb_get_active_config_descriptor(devs[0], &config);
   libusb_free_config_descriptor(config);
   libusb_get_device_descriptor(devs[0], &device_desc);
   libusb_open(devs[0], &handle);
   libusb_get_string_descriptor_ascii(handle,device_desc.iProduct,str,STRLEN);
   libusb_claim_interface(handle, 1);
   libusb_bulk_transfer(handle, 1, str, STRLEN, &transferred, 0);
   libusb_release_interface(handle, 1);
   libusb_close(handle);
   libusb_free_device_list(devs, 1);
   libusb_exit(context);
 
   return 0;
 }
 
 and found two additional problems:
 
 4. A jump on uninitialised occurs at libusb20.c:658 in libusb20_dev_req_string_sync():
   req.wLength = *(uint8_t *)ptr;	/* bytes */
   if (req.wLength > len) {
 To fix, zero the upper byte with:
   memset(ptr, 0, len);
 
 5. A memory leak occurs for devs[0] in the above test. devs[0]->refcnt is incremented to 3 during libusb_bulk_transfer() but not decremented on exit from that function. Consequently, devs[0] is not freed in libusb_free_device_list(). I couldn't see a quick fix for this and it's a minor memory leak (44 bytes) so I will leave it for an expert.
 
 Regards,
 
 Rob
 -- 
 Robert Jenssen <robertjenssen@ozemail.com.au>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911060400.nA640E7C058546>