Bug 196471

Created attachment 151308 [details]
testcase for libusb segmentation fault

I have encountered a segmentation fault when using libusb on an i386 FreeBSD 10.1 system with the latest patches applied:

Steps to reproduce:

- get a pointer libusb_device *device
- use it in some way
- close it
- reopen it
- claim an interface of the device handle
- then it crashes with a segmentation fault

Debugging the libusb_claim_interface method led to this observation:

I am referring to this source code: http://svnweb.freebsd.org/base/stable/10/lib/libusb/libusb10.c?view=markup#l611

In line 615 the libusb_device * is calculated from the given libusb_device_handle *. The device does contain a NULL pointer as dev->ctx. This null pointer is passed to CTX_LOCK in line 622. Then the segmentation fault occurs.

If this line is inserted before line 622 the segmentation fault does not occur:

dev->ctx = GET_CONTEXT(dev->ctx);

But I am not sure if this is the right way to address the problem.

I have created a testcase which I will attach. You need to replace the manufacturer and product ids with some values for a connected usb device. The values in the example are for a HP Deskjet 5550 printer.

The same testcase works as expected on an Ubuntu 14.04 system with libusbx 1.0.17.