From 803637bc0e452392498714cd8245a06f5aea2edc Mon Sep 17 00:00:00 2001
From: Daniel Orstadius <daniel.orstadius@gmail.com>
Date: Fri, 19 Feb 2010 17:51:48 +0200
Subject: [PATCH] Fix double free on AVDTP Abort response

The pending request might be freed twice when receiving an Abort
response, in handle_unanswered_req and session_cb. Avoid freeing
it in handle_unanswered_req.
---
 audio/avdtp.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/audio/avdtp.c b/audio/avdtp.c
index 2591845..ae7c88e 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -905,6 +905,13 @@ static void handle_unanswered_req(struct avdtp *session,
 	struct avdtp_local_sep *lsep;
 	struct avdtp_error err;
 
+	if (session->req == AVDTP_ABORT) {
+		/* Avoid freeing the Abort request here */
+		debug("handle_unanswered_req: Abort req, returning");
+		session->req->stream = NULL;
+		return;
+	}
+
 	req = session->req;
 	session->req = NULL;
 
-- 
1.6.0.4