From e2c1f7d5b5ece98bf09a8011953cb07d59754c3d Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon>
Date: Sun, 18 Oct 2009 09:26:27 +0000
Subject: [PATCH] dhcp_unfold_reply: NULL memory might have been freed after
 mem_malloc returned NULL

---
 src/core/dhcp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/core/dhcp.c b/src/core/dhcp.c
index 28ed8c28..51fd76a4 100644
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@@ -1318,14 +1318,18 @@ dhcp_unfold_reply(struct dhcp *dhcp)
     dhcp->options_in = mem_malloc(dhcp->options_in_len);
     if (dhcp->options_in == NULL) {
       LWIP_DEBUGF(DHCP_DEBUG | LWIP_DBG_TRACE | 2, ("dhcp_unfold_reply(): could not allocate dhcp->options\n"));
+      dhcp->options_in_len = 0;
       return ERR_MEM;
     }
   }
   dhcp->msg_in = mem_malloc(sizeof(struct dhcp_msg) - DHCP_OPTIONS_LEN);
   if (dhcp->msg_in == NULL) {
     LWIP_DEBUGF(DHCP_DEBUG | LWIP_DBG_TRACE | 2, ("dhcp_unfold_reply(): could not allocate dhcp->msg_in\n"));
-    mem_free((void *)dhcp->options_in);
-    dhcp->options_in = NULL;
+    if (dhcp->options_in != NULL) {
+      mem_free((void *)dhcp->options_in);
+      dhcp->options_in = NULL;
+      dhcp->options_in_len = 0;
+    }
     return ERR_MEM;
   }