Core: Fix potential segfault caused by using freed memory

When a transfer is submitted, the device is referenced in libusb_submit_transfer()
and unreferenced in usbi_handle_transfer_completion(). This transfer could potentially
be freed by any user callback, or is freed by libusb if LIBUSB_TRANSFER_FREE_TRANSFER
is set in the flags. The call to unreference the device uses this potentially freed
memory. Reading the device handle beforehand will prevent this disaster.

1 files changed, 2 insertions, 1 deletions

diff --git a/libusb/io.c b/libusb/io.c
index 64712c2..d766ccf 100644
--- a/libusb/io.c
+++ b/libusb/io.c
@@ -1524,6 +1524,7 @@ int usbi_handle_transfer_completion(struct usbi_transfer *itransfer,
 	struct libusb_transfer *transfer =
 		USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
 	struct libusb_context *ctx = TRANSFER_CTX(transfer);
+	struct libusb_device_handle *handle = transfer->dev_handle;
 	uint8_t flags;
 	int r = 0;
 
@@ -1564,7 +1565,7 @@ int usbi_handle_transfer_completion(struct usbi_transfer *itransfer,
 	usbi_mutex_lock(&ctx->event_waiters_lock);
 	usbi_cond_broadcast(&ctx->event_waiters_cond);
 	usbi_mutex_unlock(&ctx->event_waiters_lock);
-	libusb_unref_device(transfer->dev_handle->dev);
+	libusb_unref_device(handle->dev);
 	return 0;
 }