l2cap: fix use after free with ERTM (close issue #181)

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
 - SM: prevent random address updates if gap_random_address_set was used
 - SM: fix internal buffer overrun that can cause storing of bonding information to fail
+- L2CAP: fix use after free on disconnect if ERTM is enabled
 
 ## Changes October 2018
 

src/l2cap.c

@@ -1511,6 +1511,7 @@ static void l2cap_run(void){
                 l2cap_send_signaling_packet( channel->con_handle, DISCONNECTION_RESPONSE, channel->remote_sig_id, channel->local_cid, channel->remote_cid);   
                 // we don't start an RTX timer for a disconnect - there's no point in closing the channel if the other side doesn't respond :)
                 l2cap_finialize_channel_close(channel);  // -- remove from list
+                channel = NULL;
                 break;
                 
             case L2CAP_STATE_WILL_SEND_DISCONNECT_REQUEST:
@@ -1524,7 +1525,9 @@ static void l2cap_run(void){
         }
 
 #ifdef ENABLE_L2CAP_ENHANCED_RETRANSMISSION_MODE
-        // send s-frame to acknowledge received packets
+
+        // check if we can still send
+        if (!channel) continue;
         if (channel->con_handle == HCI_CON_HANDLE_INVALID) continue;
         if (!hci_can_send_acl_packet_now(channel->con_handle)) continue;