Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp5884076ybh;
        Wed, 7 Aug 2019 13:07:34 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy9JwJ7JnaOgvSCTq0fQpw/v8D4A4zm4NYXrPJumhMC+lcP7qw6OdXUVL30cYjGpMoF7WF2
X-Received: by 2002:a17:90a:a00d:: with SMTP id q13mr171548pjp.80.1565208454073;
        Wed, 07 Aug 2019 13:07:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1565208454; cv=none;
        d=google.com; s=arc-20160816;
        b=FV7qIVN8DlrHx3uv73iGrDXZQjDeyfp4DVG6TbiySGXIQ6hPdbxj6s9BVd0pTOdwEE
         vzjpzi4M7gI4VwkBzjgUWVXMth1n86IzGr+mfKnZL+LdlrfbGHP4QPtm6CxfyzzhcF6P
         e7muC1cLliCSHc7nVz8FkVsb3Adx+2JpYVw7ZQPO2fMQnBcfzh2TxG199XZOJJWggRa7
         X8NI1iZD1fYf3u+SeqMg5PF9gi3zV6m/wUKXW2zfhUVQN05MO1/dEteCzJMDX7n/6B7F
         QB3M0ozZxaGUxC7DCl4QegEMujro7DUYECAK/errbjs5VzcJyMAoM0Sf3akp03IYdYWt
         O6/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=iV1LknrfqngUh7Wrdeqj1rcCEbKuC38+VZNCnGI4g9g=;
        b=v8PrW3h81KPFfsVr1Sx81HPViqnTaU/2pQ9D+qHq7wg4M6eCA/5W+wsQWCTUO5HphM
         0RVaVbRcDw7iBd/+m7ougE5tHVnmBeF/eq6g0CVEkozGWesVk4BAirv+uc8Tv8ilPPNV
         cRgKCgJrK/V6+4v1aL87+pX7Ttpdvuavd4PTFwM1JW/CO5V6TwPSxpgLSQRV8aE5q9OR
         h85nTSfZWSwOQX3D59vc11rNI9LhOW4FZVjNB+kQMrlpBG0zoiVB43oQgqRMUlabwVEt
         eblBeSaLPFMsyJk+rWGQS7JfAudhNmw96J/iyiptdZuzLvzZAsCsuPk24e/EcuH2hJId
         E60w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t20si37385987pgv.580.2019.08.07.13.07.09;
        Wed, 07 Aug 2019 13:07:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729934AbfHGUGq (ORCPT <rfc822;aafortinet@gmail.com>
        + 99 others); Wed, 7 Aug 2019 16:06:46 -0400
Received: from mga17.intel.com ([192.55.52.151]:40938 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729714AbfHGUGq (ORCPT <rfc822;linux-bluetooth@vger.kernel.org>);
        Wed, 7 Aug 2019 16:06:46 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2019 13:06:42 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,358,1559545200"; 
   d="scan'208";a="182382960"
Received: from ingas-nuc1.sea.intel.com ([10.255.95.214])
  by FMSMGA003.fm.intel.com with ESMTP; 07 Aug 2019 13:06:42 -0700
From:   Inga Stotland <inga.stotland@intel.com>
To:     linux-bluetooth@vger.kernel.org
Cc:     brian.gix@intel.com, Inga Stotland <inga.stotland@intel.com>
Subject: [PATCH BlueZ] mesh: Fix double free of a pointer in mesh-io-generic
Date:   Wed,  7 Aug 2019 13:06:36 -0700
Message-Id: <20190807200636.19614-1-inga.stotland@intel.com>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

This fixes a crash in bluetooth-meshd due to freeing the same pointer
twice. The fix is to initialize the address of freed TX buffer to NULL.
---
 mesh/mesh-io-generic.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 576c5df1b..cc91f494e 100644
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 			tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
 							L_UINT_TO_PTR(data[0]));
 			l_free(tx);
+
+			if (tx == pvt->tx)
+				pvt->tx = NULL;
+
 		} while (tx);
-	}  else {
+	} else {
 		struct tx_pattern pattern = {
 			.data = data,
 			.len = len
@@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 			tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
 								&pattern);
 			l_free(tx);
+
+			if (tx == pvt->tx)
+				pvt->tx = NULL;
+
 		} while (tx);
 	}
 
-- 
2.21.0