Overview
A double free may occur in the STM32 USBX host controller code when ux_stm32_ed_setup and ux_stm32_ed_data point to the same memory.
Step 1: Memory freed in control transfer
In ux_hcd_stm32_request_control_transfer() (file: ux_hcd_stm32_request_control_transfer.c, around line 239), the following code frees ed->ux_stm32_ed_setup:
_ux_utility_memory_free(ed -> ux_stm32_ed_setup);
ed -> ux_stm32_ed_setup = UX_NULL;
Step 2: Memory freed again in interrupt
Later, _ux_hcd_stm32_request_trans_finish() (in ux_hcd_stm32_request_trans_finish.c) is called in interrupt context.
It contains this code:
if (ed -> ux_stm32_ed_data != ed -> ux_stm32_ed_setup)
{
_ux_utility_memory_free(ed -> ux_stm32_ed_data);
ed -> ux_stm32_ed_data = UX_NULL;
}However, if ed->ux_stm32_ed_data and ed->ux_stm32_ed_setup were originally the same address (e.g., 0x12345678), the same memory is freed twice:
- Once in
request_control_transfer
- Once again in
request_trans_finish
This causes a double free, which may lead to memory corruption or crash.
Overview
A double free may occur in the STM32 USBX host controller code when
ux_stm32_ed_setupandux_stm32_ed_datapoint to the same memory.Step 1: Memory freed in control transfer
In
ux_hcd_stm32_request_control_transfer()(file:ux_hcd_stm32_request_control_transfer.c, around line 239), the following code freesed->ux_stm32_ed_setup:Step 2: Memory freed again in interrupt
Later,
_ux_hcd_stm32_request_trans_finish()(inux_hcd_stm32_request_trans_finish.c) is called in interrupt context.It contains this code:
However, if
ed->ux_stm32_ed_dataanded->ux_stm32_ed_setupwere originally the same address (e.g.,0x12345678), the same memory is freed twice:request_control_transferrequest_trans_finishThis causes a double free, which may lead to memory corruption or crash.