Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b296c4b1 authored by Jack Pham's avatar Jack Pham
Browse files

platform: msm: usb_bam: Fix potential use-after-free in connect_pipe 



In the connect_pipe() failure path, the allocated pipe is freed but
the pointer variable is not reset creating a dangling pointer and
potential UaF if it is later accessed.  Fix it by assigning it to NULL.

Change-Id: Iae9fb05ce819fc94839180762393fa18aaecdd60
Signed-off-by: default avatarJack Pham <quic_jackp@quicinc.com>
parent 6dd9e34e

drivers/platform/msm/usb_bam.c

+1 −0
Original line number Diff line number Diff line
@@ -866,6 +866,7 @@ static int connect_pipe(enum usb_ctrl cur_bam, u8 idx, u32 *usb_pipe_idx, 
	sps_disconnect(*pipe);

free_sps_endpoint:

	sps_free_endpoint(*pipe);

	*pipe = NULL;

	return ret;

}