From b8f0b2279fc218f44c1d8e0f67272513316ef504 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 2 Oct 2008 12:53:18 +0000
Subject: [PATCH] DEVEL15-rx-current-packet-double-free-20081003

LICENSE MIT

in rxi_WriteProc() make sure that rx_call currentPacket is
set to NULL after the rx_packet is added to a queue or
passed to rx_freePacket().  Otherwise we will panic when
we attempt to call rx_freePacket twice on the same packet.


(cherry picked from commit 1e7203940456e783aad215e939c04ed01dd45599)
---
 src/rx/rx_rdwr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rx/rx_rdwr.c b/src/rx/rx_rdwr.c
index 22149af70..e3aac08a5 100644
--- a/src/rx/rx_rdwr.c
+++ b/src/rx/rx_rdwr.c
@@ -1121,6 +1121,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 	    rxi_PrepareSendPacket(call, cp, 0);
 	    cp->flags |= RX_PKTFLAG_TQ;
 	    queue_Append(&tmpq, cp);
+            cp = call->currentPacket = (struct rx_packet *)0;
 
 	    /* The head of the iovq is now the current packet */
 	    if (nbytes) {
@@ -1152,6 +1153,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 		if (cp) {
 		    cp->flags &= ~RX_PKTFLAG_CP;
 		    queue_Prepend(&tmpq, cp);
+                    cp = call->currentPacket = (struct rx_packet *)0;
 		}
 		rxi_FreePackets(0, &tmpq);
 		return 0;
@@ -1197,6 +1199,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 	if (cp) {
 	    cp->flags &= ~RX_PKTFLAG_CP;
 	    rxi_FreePacket(cp);
+            cp = call->currentPacket = (struct rx_packet *)0;
 	}
 	return 0;
     }
-- 
2.39.5