From e99e33aea8c5e480e224f4a167947dfacf4584a2 Mon Sep 17 00:00:00 2001 From: akallabeth Date: Sun, 11 Jan 2026 09:12:37 +0100 Subject: [PATCH] [channels,serial] fix use after free --- channels/serial/client/serial_main.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/channels/serial/client/serial_main.c b/channels/serial/client/serial_main.c index 2c9e88994..308afe217 100644 --- a/channels/serial/client/serial_main.c +++ b/channels/serial/client/serial_main.c @@ -516,17 +516,18 @@ static UINT serial_process_irp(SERIAL_DEVICE* serial, IRP* irp) static DWORD WINAPI irp_thread_func(LPVOID arg) { IRP_THREAD_DATA* data = (IRP_THREAD_DATA*)arg; - UINT error = 0; WINPR_ASSERT(data); WINPR_ASSERT(data->serial); WINPR_ASSERT(data->irp); /* blocks until the end of the request */ - if ((error = serial_process_irp(data->serial, data->irp))) + UINT error = serial_process_irp(data->serial, data->irp); + if (error) { WLog_Print(data->serial->log, WLOG_ERROR, "serial_process_irp failed with error %" PRIu32 "", error); + data->irp->Discard(data->irp); goto error_out; } @@ -539,9 +540,6 @@ error_out: if (error && data->serial->rdpcontext) setChannelError(data->serial->rdpcontext, error, "irp_thread_func reported an error"); - if (error) - data->irp->Discard(data->irp); - /* NB: At this point, the server might already being reusing * the CompletionId whereas the thread is not yet * terminated */