Re-fetch the interface handle after setting the config number,

because the previous interface handle gets freed when the config
number is set. This fixes a problem where memory could be accessed
after it was freed when the interface was ifconfig'd up.

Reviewed by:	n_hibma

2 files changed, 4 insertions, 1 deletions

diff --git a/sys/dev/usb/if_kue.c b/sys/dev/usb/if_kue.c
index 1805108..8c50cf5 100644
--- a/sys/dev/usb/if_kue.c
+++ b/sys/dev/usb/if_kue.c
@@ -363,7 +363,9 @@ kue_setmulti(struct kue_softc *sc)
 Static void
 kue_reset(struct kue_softc *sc)
 {
-	if (usbd_set_config_no(sc->kue_udev, KUE_CONFIG_NO, 0)) {
+	if (usbd_set_config_no(sc->kue_udev, KUE_CONFIG_NO, 0) ||
+	    usbd_device2interface_handle(sc->kue_udev, KUE_IFACE_IDX,
+	    &sc->kue_iface)) {
 		printf("kue%d: getting interface handle failed\n",
 		    sc->kue_unit);
 	}
diff --git a/sys/dev/usb/if_kuereg.h b/sys/dev/usb/if_kuereg.h
index 0654ab6..a72faad 100644
--- a/sys/dev/usb/if_kuereg.h
+++ b/sys/dev/usb/if_kuereg.h
@@ -121,6 +121,7 @@ struct kue_ether_desc {
 #define KUE_CTL_WRITE		0x02
 
 #define KUE_CONFIG_NO		1
+#define KUE_IFACE_IDX		0
 
 /*
  * The interrupt endpoint is currently unused