From: Archie Pusaka <apusaka@xxxxxxxxxxxx>
One instance of freeing temporary_timer is not followed by setting
the variable to 0, causing potential double free.
Reviewed-by: Yun-Hao Chung <howardchung@xxxxxxxxxx>
---
src/device.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/device.c b/src/device.c
index a5ef467301..2800b276a2 100644
--- a/src/device.c
+++ b/src/device.c
@@ -4477,8 +4477,10 @@ void device_remove(struct btd_device *device, gboolean remove_stored)
disconnect_all(device);
}
- if (device->temporary_timer > 0)
+ if (device->temporary_timer > 0) {
g_source_remove(device->temporary_timer);
+ device->temporary_timer = 0;
+ }
if (device->store_id > 0) {
g_source_remove(device->store_id);
--
2.29.0.rc1.297.gfa9743e501-goog
