From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Thu, 14 Aug 2014 07:29:12 +0000 (+0800)
Subject: l2cap: fix access to freed memory
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=2c145d7a73206afc576fea86514e892e11481dab;p=qemu.git

l2cap: fix access to freed memory

Pointer 'ch' will be used in function 'l2cap_channel_open_req_msg' after
it was previously freed in 'l2cap_channel_open'.
Assigned it to NULL after it is freed.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---

diff --git a/hw/bt/l2cap.c b/hw/bt/l2cap.c
index 2301d6f87f..591e047781 100644
--- a/hw/bt/l2cap.c
+++ b/hw/bt/l2cap.c
@@ -429,7 +429,7 @@ static struct l2cap_chan_s *l2cap_channel_open(struct l2cap_instance_s *l2cap,
                 status = L2CAP_CS_NO_INFO;
             } else {
                 g_free(ch);
-
+                ch = NULL;
                 result = L2CAP_CR_NO_MEM;
                 status = L2CAP_CS_NO_INFO;
             }