Avoid null-pointer dereference in l2c_release_lcb()

author Andre Eisenbach <eisenbach@google.com>

Wed, 8 Apr 2015 17:01:56 +0000 (10:01 -0700)

committer Andre Eisenbach <eisenbach@google.com>

Wed, 8 Apr 2015 17:27:07 +0000 (10:27 -0700)
author Andre Eisenbach <eisenbach@google.com>
Wed, 8 Apr 2015 17:01:56 +0000 (10:01 -0700)
committer Andre Eisenbach <eisenbach@google.com>
Wed, 8 Apr 2015 17:27:07 +0000 (10:27 -0700)
diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c

index a4267a5..2c992d2 100644 (file)
--- a/stack/l2cap/l2c_utils.c
+++ b/stack/l2cap/l2c_utils.c
@@ -214,14 +214,18 @@ void l2cu_release_lcb (tL2C_LCB *p_lcb)
  #else
          btm_acl_removed (p_lcb->remote_bd_addr, BT_TRANSPORT_BR_EDR);
  #endif
+
      /* Release any held buffers */
-    while (!list_is_empty(p_lcb->link_xmit_data_q)) {
-        BT_HDR *p_buf = list_front(p_lcb->link_xmit_data_q);
-        list_remove(p_lcb->link_xmit_data_q, p_buf);
-        GKI_freebuf(p_buf);
+    if (p_lcb->link_xmit_data_q)
+    {
+        while (!list_is_empty(p_lcb->link_xmit_data_q)) {
+            BT_HDR *p_buf = list_front(p_lcb->link_xmit_data_q);
+            list_remove(p_lcb->link_xmit_data_q, p_buf);
+            GKI_freebuf(p_buf);
+        }
+        list_free(p_lcb->link_xmit_data_q);
+        p_lcb->link_xmit_data_q = NULL;
      }
-    list_free(p_lcb->link_xmit_data_q);
-    p_lcb->link_xmit_data_q = NULL;
  
  #if (L2CAP_UCD_INCLUDED == TRUE)
      /* clean up any security pending UCD */
author	Andre Eisenbach <eisenbach@google.com>
	Wed, 8 Apr 2015 17:01:56 +0000 (10:01 -0700)
committer	Andre Eisenbach <eisenbach@google.com>
	Wed, 8 Apr 2015 17:27:07 +0000 (10:27 -0700)