Applied
On Wed, 2019-08-07 at 13:06 -0700, Inga Stotland wrote:
> This fixes a crash in bluetooth-meshd due to freeing the same pointer
> twice. The fix is to initialize the address of freed TX buffer to NULL.
> ---
> mesh/mesh-io-generic.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
> index 576c5df1b..cc91f494e 100644
> --- a/mesh/mesh-io-generic.c
> +++ b/mesh/mesh-io-generic.c
> @@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
> tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
> L_UINT_TO_PTR(data[0]));
> l_free(tx);
> +
> + if (tx == pvt->tx)
> + pvt->tx = NULL;
> +
> } while (tx);
> - } else {
> + } else {
> struct tx_pattern pattern = {
> .data = data,
> .len = len
> @@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
> tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
> &pattern);
> l_free(tx);
> +
> + if (tx == pvt->tx)
> + pvt->tx = NULL;
> +
> } while (tx);
> }
>
