In the failure path of the orig_node initialization routine a double free is hit because orig_node->bat_iv.bcast_own is not set to NULL after being free'd.

Fix it by setting bcast_own to NULL after having free'd it.

Signed-off-by: Antonio Quartulli antonio@meshcoding.com --- bat_iv_ogm.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c index c07e59f..cb4c18a 100644 --- a/bat_iv_ogm.c +++ b/bat_iv_ogm.c @@ -255,6 +255,8 @@ batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const uint8_t *addr)

free_bcast_own: kfree(orig_node->bat_iv.bcast_own); + /* make it NULL to avoid second free in batadv_iv_ogm_orig_free() */ + orig_node->bat_iv.bcast_own = NULL; free_orig_node: /* free twice, as batadv_orig_node_new sets refcount to 2 */ batadv_orig_node_free_ref(orig_node);