From d88a0a77224183029d3e2e63afe4576758bf79f9 Mon Sep 17 00:00:00 2001
From: Inga Stotland <inga.stotland@intel.com>
Date: Wed, 7 Aug 2019 13:06:36 -0700
Subject: [PATCH] mesh: Fix double free of a pointer in mesh-io-generic

This fixes a crash in bluetooth-meshd due to freeing the same pointer
twice. The fix is to initialize the address of freed TX buffer to NULL.

Change-Id: I73ba5d09493b888f12b11569bdf0d0deebbf9a28
Signed-off-by: Anupam Roy <anupam.r@samsung.com>
---
 mesh/mesh-io-generic.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c
index 576c5df..cc91f49 100644
--- a/mesh/mesh-io-generic.c
+++ b/mesh/mesh-io-generic.c
@@ -654,8 +654,12 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 			tx = l_queue_remove_if(pvt->tx_pkts, find_by_ad_type,
 							L_UINT_TO_PTR(data[0]));
 			l_free(tx);
+
+			if (tx == pvt->tx)
+				pvt->tx = NULL;
+
 		} while (tx);
-	}  else {
+	} else {
 		struct tx_pattern pattern = {
 			.data = data,
 			.len = len
@@ -665,6 +669,10 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len)
 			tx = l_queue_remove_if(pvt->tx_pkts, find_by_pattern,
 								&pattern);
 			l_free(tx);
+
+			if (tx == pvt->tx)
+				pvt->tx = NULL;
+
 		} while (tx);
 	}
 
-- 
2.7.4