mesh: Fix double free of a pointer in mesh-io-generic

This fixes a crash in bluetooth-meshd due to freeing the same pointer
twice. The fix is to initialize the address of freed TX buffer to NULL.

Change-Id: I73ba5d09493b888f12b11569bdf0d0deebbf9a28
Signed-off-by: Anupam Roy <anupam.r@samsung.com>

diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 576c5df..cc91f49 100644 (file)
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
                        tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
                                                        L_UINT_TO_PTR(data[0]));
                        l_free(tx);
+
+                       if (tx == pvt->tx)
+                               pvt->tx = NULL;
+
                } while (tx);
-       }  else {
+       } else {
                struct tx_pattern pattern = {
                        .data = data,
                        .len = len
@@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
                        tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
                                                                &pattern);
                        l_free(tx);
+
+                       if (tx == pvt->tx)
+                               pvt->tx = NULL;
+
                } while (tx);
        }