From a555434c50544410ab6f8915f1e2a829cc6e6de2 Mon Sep 17 00:00:00 2001
From: Antonio Borneo <borneo.antonio@gmail.com>
Date: Mon, 9 Aug 2021 15:03:37 +0200
Subject: [PATCH] jtag/mpsse: fix SIGSEGV for use after free

By pressing CTRL-C on a running openocd with FTDI adapter, it's
possible to generate a segmentation fault that with valgrind is
dumped as a SIGABRT:

^CError: libusb_handle_events() failed with LIBUSB_ERROR_INTERRUPTED
==16594== Invalid read of size 8
==16594==    at 0x48B2472: libusb_submit_transfer
==16594==    by 0x48B4B0F: libusb_control_transfer
==16594==    by 0x1A6B9D: mpsse_purge (mpsse.c:428)
==16594==    by 0x1A7B96: mpsse_flush (mpsse.c:953)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Address 0x6158568 is 72 bytes inside a block of size 216 free'd
==16594==    at 0x484118B: free (vg_replace_malloc.c:755)
==16594==    by 0x1A7B88: mpsse_flush (mpsse.c:950)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Block was alloc'd at
==16594==    at 0x48435FF: calloc (vg_replace_malloc.c:1117)
==16594==    by 0x48B2259: libusb_alloc_transfer
==16594==    by 0x1A7A26: mpsse_flush (mpsse.c:880)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594== Process terminating with default action of signal 6 (SIGABRT):
	dumping core
...
Aborted (core dumped)

The error is in mpsse_flush() that, following valgrind dump:
- allocates the buffer at line mpsse.c:880
  read_transfer = libusb_alloc_transfer(0);
- frees the buffer at line mpsse.c:950
  libusb_free_transfer(read_transfer);
- still pretends to use the freed buffer at line mpsse.c:953
  mpsse_purge(ctx);

Move the call to mpsse_purge() right before freeing the buffer.

Change-Id: I47c71ec8c283f4b037fdd7cd72ca2e877cd3a851
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Reviewed-on: http://openocd.zylin.com/6417
Tested-by: jenkins
---
 src/jtag/drivers/mpsse.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/jtag/drivers/mpsse.c b/src/jtag/drivers/mpsse.c
index 4e64fdbbf..0e3d2be0e 100644
--- a/src/jtag/drivers/mpsse.c
+++ b/src/jtag/drivers/mpsse.c
@@ -945,12 +945,12 @@ error_check:
 		retval = ERROR_OK;
 	}
 
+	if (retval != ERROR_OK)
+		mpsse_purge(ctx);
+
 	libusb_free_transfer(write_transfer);
 	if (read_transfer)
 		libusb_free_transfer(read_transfer);
 
-	if (retval != ERROR_OK)
-		mpsse_purge(ctx);
-
 	return retval;
 }