This fixes a crash in bluetooth-meshd due to freeing the same pointer
twice. The fix is to initialize the address of freed TX buffer to NULL.
---
mesh/mesh-io-generic.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 576c5df1b..cc91f494e 100644
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
L_UINT_TO_PTR(data[0]));
l_free(tx);
+
+ if (tx == pvt->tx)
+ pvt->tx = NULL;
+
} while (tx);
- } else {
+ } else {
struct tx_pattern pattern = {
.data = data,
.len = len
@@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
&pattern);
l_free(tx);
+
+ if (tx == pvt->tx)
+ pvt->tx = NULL;
+
} while (tx);
}
--
2.21.0
Applied
On Wed, 2019-08-07 at 13:06 -0700, Inga Stotland wrote:
> This fixes a crash in bluetooth-meshd due to freeing the same pointer
> twice. The fix is to initialize the address of freed TX buffer to NULL.
> ---
> mesh/mesh-io-generic.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
> index 576c5df1b..cc91f494e 100644
> --- a/mesh/mesh-io-generic.c
> +++ b/mesh/mesh-io-generic.c
> @@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
> tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
> L_UINT_TO_PTR(data[0]));
> l_free(tx);
> +
> + if (tx == pvt->tx)
> + pvt->tx = NULL;
> +
> } while (tx);
> - } else {
> + } else {
> struct tx_pattern pattern = {
> .data = data,
> .len = len
> @@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
> tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
> &pattern);
> l_free(tx);
> +
> + if (tx == pvt->tx)
> + pvt->tx = NULL;
> +
> } while (tx);
> }
>