From 7b406ad5ccead37da4c8c2ec044528811a89e907 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Mon, 2 Aug 2010 23:31:26 +0200
Subject: lce: clear retransmission pointer when opening/confirming a new
 transaction

Fix use-after-free when the transaction is used for a second time.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/lce.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/lce.c b/src/lce.c
index 1bc4bc9..9858fff 100644
--- a/src/lce.c
+++ b/src/lce.c
@@ -1076,6 +1076,7 @@ int dect_ddl_transaction_open(struct dect_handle *dh, struct dect_transaction *t
 
 	ddl_debug(ddl, "open transaction: %s TV: %u", protocol->name, tv);
 	ta->link  = ddl;
+	ta->mb    = NULL;
 	ta->pd	  = pd;
 	ta->role  = DECT_TRANSACTION_INITIATOR;
 	ta->state = DECT_TRANSACTION_OPEN;
@@ -1101,6 +1102,7 @@ void dect_transaction_confirm(struct dect_handle *dh, struct dect_transaction *t
 			      const struct dect_transaction *req)
 {
 	ta->link  = req->link;
+	ta->mb    = NULL;
 	ta->tv    = req->tv;
 	ta->role  = req->role;
 	ta->pd    = req->pd;
-- 
cgit v1.2.3