Merge pull request #12 from github/uaf-fix

Fix UAF in SoftU2FUserClient::start
github · Jul 25, 2017 · ac45d5c · ac45d5c
2 parents 338d0c9 + 3d793fd
commit ac45d5c
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/SoftU2FDriver/SoftU2FUserClient.cpp b/SoftU2FDriver/SoftU2FUserClient.cpp
@@ -94,8 +94,6 @@ bool SoftU2FUserClient::start(IOService *provider) {
   if (!device->start(this))
     goto fail_device_start;
 
-  device->release();
-
   workLoop = getWorkLoop();
   if (!workLoop)
     goto fail_no_workloop;
@@ -107,6 +105,10 @@ bool SoftU2FUserClient::start(IOService *provider) {
   if (workLoop->addEventSource(_commandGate) != kIOReturnSuccess)
     goto fail_add_event_source;
 
+  // Our call to device->attach took a retain on the device when it was added to the registry.
+  // That will be released when the device is detached from the registry.
+  device->release();
+
   return true;
 
 fail_add_event_source: