rigol-ds: fix use-after-free
authorRalf <jr-oss@gmx.net>
Mon, 7 Jun 2021 05:08:06 +0000 (07:08 +0200)
committerGerhard Sittig <gerhard.sittig@gmx.net>
Mon, 7 Jun 2021 05:48:44 +0000 (07:48 +0200)
This amends commit 4fad41a8a4f3 which fixed a leak but introduced the
use after free.

src/hardware/rigol-ds/protocol.c

index 6d6b28f23789615d2292ba7c3ef583c44dc8f0f5..05aaf113f02b0d6f4ecd0e4b1b2b67f90a5f47f8 100644 (file)
@@ -267,7 +267,7 @@ static int rigol_ds_check_stop(const struct sr_dev_inst *sdi)
 /* Wait for enough data becoming available in scope output buffer */
 static int rigol_ds_block_wait(const struct sr_dev_inst *sdi)
 {
 /* Wait for enough data becoming available in scope output buffer */
 static int rigol_ds_block_wait(const struct sr_dev_inst *sdi)
 {
-       char *buf;
+       char *buf, c;
        struct dev_context *devc;
        time_t start;
        int len, ret;
        struct dev_context *devc;
        time_t start;
        int len, ret;
@@ -297,10 +297,11 @@ static int rigol_ds_block_wait(const struct sr_dev_inst *sdi)
                        if (sr_scpi_get_string(sdi->conn, ":WAV:STAT?", &buf) != SR_OK)
                                return SR_ERR;
                        ret = parse_int(buf + 5, &len);
                        if (sr_scpi_get_string(sdi->conn, ":WAV:STAT?", &buf) != SR_OK)
                                return SR_ERR;
                        ret = parse_int(buf + 5, &len);
+                       c = buf[0];
                        g_free(buf);
                        if (ret != SR_OK)
                                return SR_ERR;
                        g_free(buf);
                        if (ret != SR_OK)
                                return SR_ERR;
-               } while (buf[0] == 'R' && len < (1000 * 1000));
+               } while (c == 'R' && len < (1000 * 1000));
        }
 
        rigol_ds_set_wait_event(devc, WAIT_NONE);
        }
 
        rigol_ds_set_wait_event(devc, WAIT_NONE);