>Number: 6583
>Category: kernel
>Synopsis: memory leak in usbd_set_config_index()
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 28 15:10:01 GMT 2011
>Closed-Date:
>Last-Modified:
>Originator:
>Release:
>Organization:
>Environment:
System : OpenBSD 4.8
Details : OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
>Description:
dev->ifaces is not freed after failure of usbd_fill_iface_data() in
usbd_set_config_index().
>How-To-Repeat:
>Fix:
See the following diff:
Index: dev/usb/usb_subr.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
retrieving revision 1.73
diff -u -r1.73 usb_subr.c
--- dev/usb/usb_subr.c 14 Jan 2009 21:02:57 -0000 1.73
+++ dev/usb/usb_subr.c 22 Mar 2011 13:42:36 -0000
@@ -731,7 +731,7 @@
}
DPRINTF(("usbd_set_config_index: (addr %d) cno=%d attr=0x%02x, "
"selfpowered=%d, power=%d\n",
- cdp->bConfigurationValue, dev->address, cdp->bmAttributes,
+ dev->address, cdp->bConfigurationValue, cdp->bmAttributes,
selfpowered, cdp->bMaxPower * 2));
/* Check if we have enough power. */
@@ -784,7 +784,12 @@
if (err) {
while (--ifcidx >= 0)
usbd_free_iface_data(dev, ifcidx);
- goto bad;
+ free(dev->ifaces, M_USB);
+ free(dev->cdesc, M_USB);
+ dev->ifaces = NULL;
+ dev->cdesc = NULL;
+ dev->config = USB_UNCONFIG_NO;
+ return (err);
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
