From owner-freebsd-usb@FreeBSD.ORG Fri Nov 6 04:00:14 2009 Return-Path: Delivered-To: freebsd-usb@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B95E01065694 for ; Fri, 6 Nov 2009 04:00:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8E5848FC15 for ; Fri, 6 Nov 2009 04:00:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nA640EcI058547 for ; Fri, 6 Nov 2009 04:00:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nA640E7C058546; Fri, 6 Nov 2009 04:00:14 GMT (envelope-from gnats) Date: Fri, 6 Nov 2009 04:00:14 GMT Message-Id: <200911060400.nA640E7C058546@freefall.freebsd.org> To: freebsd-usb@FreeBSD.org From: Robert Jenssen Cc: Subject: Re: usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20 X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Robert Jenssen List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2009 04:00:14 -0000 The following reply was made to PR usb/140325; it has been noted by GNATS. From: Robert Jenssen To: bug-followup@FreeBSD.org, robertjenssen@hotmail.com Cc: Subject: Re: usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20 Date: Fri, 6 Nov 2009 14:42:13 +1100 Hi, Regarding my bug report usb/140325: Missing/incorrect initialisation and memory leak in libusb10/libusb20. I revised my simple test to: #include #include int main(void) { libusb_context *context; struct libusb_device **devs; libusb_device_handle *handle; struct libusb_config_descriptor *config; struct libusb_device_descriptor device_desc; int bytes; #define STRLEN 128 unsigned char str[STRLEN]; int transferred; libusb_init(&context); libusb_get_device_list(context, &devs); libusb_get_active_config_descriptor(devs[0], &config); libusb_free_config_descriptor(config); libusb_get_device_descriptor(devs[0], &device_desc); libusb_open(devs[0], &handle); libusb_get_string_descriptor_ascii(handle,device_desc.iProduct,str,STRLEN); libusb_claim_interface(handle, 1); libusb_bulk_transfer(handle, 1, str, STRLEN, &transferred, 0); libusb_release_interface(handle, 1); libusb_close(handle); libusb_free_device_list(devs, 1); libusb_exit(context); return 0; } and found two additional problems: 4. A jump on uninitialised occurs at libusb20.c:658 in libusb20_dev_req_string_sync(): req.wLength = *(uint8_t *)ptr; /* bytes */ if (req.wLength > len) { To fix, zero the upper byte with: memset(ptr, 0, len); 5. A memory leak occurs for devs[0] in the above test. devs[0]->refcnt is incremented to 3 during libusb_bulk_transfer() but not decremented on exit from that function. Consequently, devs[0] is not freed in libusb_free_device_list(). I couldn't see a quick fix for this and it's a minor memory leak (44 bytes) so I will leave it for an expert. Regards, Rob -- Robert Jenssen