From 88461d53ec146e4531ce40293c38355549532723 Mon Sep 17 00:00:00 2001 From: Benjamin Berg Date: Tue, 21 Jan 2020 12:34:40 +0100 Subject: [PATCH] upekts: Fix use-after-free in an error condition The callback function would continue processing even after having failed the SSM already. This causes further invalid operations on the SSM. This error was found using a coverity scan. --- libfprint/drivers/upekts.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libfprint/drivers/upekts.c b/libfprint/drivers/upekts.c index 47903ef..08e98c6 100644 --- a/libfprint/drivers/upekts.c +++ b/libfprint/drivers/upekts.c @@ -902,8 +902,10 @@ enroll_start_sm_cb_msg28 (FpDevice *dev, FpiSsm *ssm = user_data; if (error) - fpi_ssm_mark_failed (ssm, error); - if (type != READ_MSG_RESPONSE) + { + fpi_ssm_mark_failed (ssm, error); + } + else if (type != READ_MSG_RESPONSE) { fp_err ("expected response, got %d seq=%x", type, seq); fpi_ssm_mark_failed (ssm, fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,