Fix pointer corruption in gatt_server_deinitialize

The next node pointer of the gatt_server_list must be
stored before removing the current node.

Change-Id: I416a3a17d0c314f246449d6f458cffe6daaff2c3

diff --git a/src/bluetooth-gatt.c b/src/bluetooth-gatt.c
index 33b0b47..5e0791f 100644 (file)
--- a/src/bluetooth-gatt.c
+++ b/src/bluetooth-gatt.c
@@ -2725,8 +2725,9 @@ int bt_gatt_server_deinitialize(void)
 
        if (is_gatt_server_initialized) {
                GSList *l;
-               for (l = gatt_server_list; l; l = g_slist_next(l)) {
+               for (l = gatt_server_list; l;) {
                        bt_gatt_server_s *serv = l->data;
+                       l = g_slist_next(l);
                        bt_gatt_server_destroy(serv);
                }
                g_slist_free(gatt_server_list);