From 75e67d8a2b896068a232275885ecf2886b27f34f Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Mon, 13 Jan 2020 16:38:13 +0100
Subject: [PATCH] l2cap: avoid read-after-free on decline of incoming
 connection with ERTM enabled

---
 CHANGELOG.md | 1 +
 src/l2cap.c  | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82964979a..f5afb0b0c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 
 ### Fixed
+- L2CAP ERTM: avoid read-after-free on decline of incoming connection
 
 ### Added
 - att_db_util: provide GATT Database Hash via att_db_util_hash_calc
diff --git a/src/l2cap.c b/src/l2cap.c
index 361120a87..23391ccfc 100644
--- a/src/l2cap.c
+++ b/src/l2cap.c
@@ -1579,7 +1579,8 @@ static void l2cap_run(void){
                 l2cap_send_signaling_packet(channel->con_handle, CONNECTION_RESPONSE, channel->remote_sig_id, channel->local_cid, channel->remote_cid, channel->reason, 0);
                 // discard channel - l2cap_finialize_channel_close without sending l2cap close event
                 btstack_linked_list_iterator_remove(&it);
-                l2cap_free_channel_entry(channel); 
+                l2cap_free_channel_entry(channel);
+                channel = NULL;
                 break;
                 
             case L2CAP_STATE_WILL_SEND_CONNECTION_RESPONSE_ACCEPT:
@@ -1676,7 +1677,7 @@ static void l2cap_run(void){
 
 #ifdef ENABLE_L2CAP_ENHANCED_RETRANSMISSION_MODE
 
-        // handle channel finalize on L2CAP_STATE_WILL_SEND_DISCONNECT_RESPONSE
+        // handle channel finalize on L2CAP_STATE_WILL_SEND_DISCONNECT_RESPONSE and L2CAP_STATE_WILL_SEND_CONNECTION_RESPONSE_DECLINE
         if (!channel) continue;
 
         // ERTM mode