avoid possible null-pointer dereference in error-path

[hmcfgusb] / hmcfgusb.c

diff --git a/hmcfgusb.c b/hmcfgusb.c
index 8261f1302ee13bcf250240625d664c2e4c167b9c..83c9719b04b0d71e7324343a4aa75e7f147d3f87 100644 (file)
--- a/hmcfgusb.c
+++ b/hmcfgusb.c
@@ -201,13 +201,13 @@ int hmcfgusb_send(struct hmcfgusb_dev *usbdev, unsigned char* send_data, int len
        return 1;
 }
 
-static struct libusb_transfer *hmcfgusb_prepare_int(libusb_device_handle *devh, libusb_transfer_cb_fn cb, void *data)
+static struct libusb_transfer *hmcfgusb_prepare_int(libusb_device_handle *devh, libusb_transfer_cb_fn cb, void *data, int in_size)
 {
        unsigned char *data_buf;
        struct libusb_transfer *transfer;
        int err;
 
-       data_buf = malloc(ASYNC_SIZE);
+       data_buf = malloc(in_size);
        if (!data_buf) {
                fprintf(stderr, "Can't allocate memory for data-buffer!\n");
                return NULL;
@@ -221,9 +221,9 @@ static struct libusb_transfer *hmcfgusb_prepare_int(libusb_device_handle *devh,
        }
 
        libusb_fill_interrupt_transfer(transfer, devh, EP_IN,
-                       data_buf, ASYNC_SIZE, cb, data, USB_TIMEOUT);
+                       data_buf, in_size, cb, data, USB_TIMEOUT);
 
-       transfer->flags = LIBUSB_TRANSFER_SHORT_NOT_OK | LIBUSB_TRANSFER_FREE_BUFFER;
+       transfer->flags = LIBUSB_TRANSFER_FREE_BUFFER;
 
        err = libusb_submit_transfer(transfer);
        if (err != 0) {
@@ -285,8 +285,11 @@ static void LIBUSB_CALL hmcfgusb_interrupt(struct libusb_transfer *transfer)
        if (err != 0) {
                fprintf(stderr, "Can't re-submit transfer: %s\n", usb_strerror(err));
                libusb_free_transfer(transfer);
-               cb_data->dev->transfer = NULL;
-               free(cb_data);
+               if (cb_data) {
+                       if (cb_data->dev)
+                               cb_data->dev->transfer = NULL;
+                       free(cb_data);
+               }
        }
 }
 
@@ -311,6 +314,7 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
                devh = hmcfgusb_find(ID_VENDOR, ID_PRODUCT_BL);
                if (!devh) {
                        fprintf(stderr, "Can't find/open hmcfgusb!\n");
+                       libusb_exit(NULL);
                        return NULL;
                }
                bootloader = 1;
@@ -319,6 +323,8 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
        dev = malloc(sizeof(struct hmcfgusb_dev));
        if (!dev) {
                perror("Can't allocate memory for hmcfgusb_dev");
+               libusb_close(devh);
+               libusb_exit(NULL);
                return NULL;
        }
 
@@ -331,6 +337,8 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
        if (!cb_data) {
                perror("Can't allocate memory for hmcfgusb_cb_data");
                free(dev);
+               libusb_close(devh);
+               libusb_exit(NULL);
                return NULL;
        }
 
@@ -340,11 +348,14 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
        cb_data->cb = cb;
        cb_data->data = data;
 
-       dev->transfer = hmcfgusb_prepare_int(devh, hmcfgusb_interrupt, cb_data);
+       dev->transfer = hmcfgusb_prepare_int(devh, hmcfgusb_interrupt, cb_data, ASYNC_SIZE);
+
        if (!dev->transfer) {
                fprintf(stderr, "Can't prepare async device io!\n");
                free(dev);
                free(cb_data);
+               libusb_close(devh);
+               libusb_exit(NULL);
                return NULL;
        }
 
@@ -353,6 +364,8 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
                fprintf(stderr, "Can't get FDset from libusb!\n");
                free(dev);
                free(cb_data);
+               libusb_close(devh);
+               libusb_exit(NULL);
                return NULL;
        }
 
@@ -365,6 +378,8 @@ struct hmcfgusb_dev *hmcfgusb_init(hmcfgusb_cb_fn cb, void *data)
                perror("Can't allocate memory for poll-fds");
                free(dev);
                free(cb_data);
+               libusb_close(devh);
+               libusb_exit(NULL);
                return NULL;
        }
 
@@ -421,13 +436,11 @@ int hmcfgusb_poll(struct hmcfgusb_dev *dev, int timeout)
                return -1;
        } else if (err == 0) {
                /* No pending timeout or a sane platform */
-               tv.tv_sec = timeout;
        } else {
                if ((tv.tv_sec == 0) && (tv.tv_usec == 0)) {
                        usb_event = 1;
-               } else if (tv.tv_sec > timeout) {
-                       tv.tv_sec = timeout;
-                       tv.tv_usec = 0;
+               } else if ((tv.tv_sec * 1000) < timeout) {
+                       timeout = tv.tv_sec * 1000;
                }
        }
 
@@ -436,7 +449,7 @@ int hmcfgusb_poll(struct hmcfgusb_dev *dev, int timeout)
                        dev->pfd[i].revents = 0;
                }
 
-               n = poll(dev->pfd, dev->n_pfd, tv.tv_sec * 1000);
+               n = poll(dev->pfd, dev->n_pfd, timeout);
                if (n < 0) {
                        perror("poll");
                        errno = 0;
@@ -497,6 +510,22 @@ void hmcfgusb_enter_bootloader(struct hmcfgusb_dev *dev)
        return;
 }
 
+void hmcfgusb_leave_bootloader(struct hmcfgusb_dev *dev)
+{
+       uint8_t out[ASYNC_SIZE];
+
+       if (!dev->bootloader) {
+               fprintf(stderr, "request for leaving bootloader mode, but device already in normal mode!\n");
+               return;
+       }
+
+       memset(out, 0, sizeof(out));
+       out[0] = 'K';
+       hmcfgusb_send(dev, out, sizeof(out), 1);
+
+       return;
+}
+
 void hmcfgusb_close(struct hmcfgusb_dev *dev)
 {
        int err;