From 1f9177812c47877a020ac6ce30ba76bbc697a432 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@gmail.com>
Date: Sun, 15 Dec 2013 20:55:48 +0100
Subject: [PATCH] emulator/bthost: Fix use after free in bthost_destroy

cmd was dereferenced after free. Use temp pointer for freeing.
---
 emulator/bthost.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/emulator/bthost.c b/emulator/bthost.c
index 10e7a0572..b05072a4d 100644
--- a/emulator/bthost.c
+++ b/emulator/bthost.c
@@ -186,13 +186,15 @@ static struct l2conn *btconn_find_l2cap_conn_by_scid(struct btconn *conn,
 
 void bthost_destroy(struct bthost *bthost)
 {
-	struct cmd *cmd;
-
 	if (!bthost)
 		return;
 
-	for (cmd = bthost->cmd_q.tail; cmd != NULL; cmd = cmd->next)
+	while (bthost->cmd_q.tail) {
+		struct cmd *cmd = bthost->cmd_q.tail;
+
+		bthost->cmd_q.tail = cmd->next;
 		free(cmd);
+	}
 
 	while (bthost->conns) {
 		struct btconn *conn = bthost->conns;
-- 
2.47.3