From c4b14be48fe9b0f52bca9840375eb0eac3cc2432 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 14 Apr 2022 10:04:56 +0200 Subject: [PATCH] scd: Fix memory leak in ccid-driver. * scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count. -- Due to an assignment out of bounds this might lead to a crash if there are more than 15 readers. In any case it fixes a memory leak. Kudos to the friendly auditor who found that bug. Fixes-commit: 8a41e73c31adb86d4a7dca4da695e5ad1347811f --- scd/ccid-driver.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scd/ccid-driver.c b/scd/ccid-driver.c index 919f685e5..4faf4af97 100644 --- a/scd/ccid-driver.c +++ b/scd/ccid-driver.c @@ -1441,15 +1441,15 @@ ccid_dev_scan (int *idx_max_p, void **t_p) { for (i = 0; i < idx; i++) { - free (ccid_dev_table[idx].ifcdesc_extra); - ccid_dev_table[idx].n = 0; - ccid_dev_table[idx].interface_number = 0; - ccid_dev_table[idx].setting_number = 0; - ccid_dev_table[idx].ifcdesc_extra = NULL; - ccid_dev_table[idx].ifcdesc_extra_len = 0; - ccid_dev_table[idx].ep_bulk_out = 0; - ccid_dev_table[idx].ep_bulk_in = 0; - ccid_dev_table[idx].ep_intr = 0; + free (ccid_dev_table[i].ifcdesc_extra); + ccid_dev_table[i].n = 0; + ccid_dev_table[i].interface_number = 0; + ccid_dev_table[i].setting_number = 0; + ccid_dev_table[i].ifcdesc_extra = NULL; + ccid_dev_table[i].ifcdesc_extra_len = 0; + ccid_dev_table[i].ep_bulk_out = 0; + ccid_dev_table[i].ep_bulk_in = 0; + ccid_dev_table[i].ep_intr = 0; } libusb_free_device_list (ccid_usb_dev_list, 1); ccid_usb_dev_list = NULL;