From c300af4954948019eb58bd2cefdf373cb2994eff Mon Sep 17 00:00:00 2001
From: srinivasa rao cheruku <srinivascheruku@yahoo.com>
Date: Thu, 28 May 2020 12:38:54 -0400
Subject: [PATCH 3/5]  __svc_vc_dodestroy: fix double free of xp_ltaddr.buf

In svc_fd_create(), upon error, freeing xp_ltaddr.buf and null
is returned to the caller as expected. The allocated SVCXPRT is
added to svc_pollfd and during destroy __svc_vc_dodestroy(),
xp_ltaddr.buf is being freed again causing double free.

Fix is to reset the pointer when ever freed first.

Reported-by: Sreedharbabu Vykuntam <sreedharbabu.vykuntam@quest.com>
Reviewed-by: Ian Kent <raven@themaw.net>
Signed-off-by: Srinivasarao Cheruku <srinivascheruku@yahoo.com>

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 src/svc_vc.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/svc_vc.c b/src/svc_vc.c
index c23cd36..f1d9f00 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -243,7 +243,7 @@ svc_fd_create(fd, sendsize, recvsize)
 		goto freedata;
 	}
 	if (!__rpc_set_netbuf(&ret->xp_rtaddr, &ss, sizeof(ss))) {
-		warnx("svc_fd_create: no mem for local addr");
+		warnx("svc_fd_create: no mem for remote addr");
 		goto freedata;
 	}
 
@@ -253,9 +253,10 @@ svc_fd_create(fd, sendsize, recvsize)
 	return ret;
 
 freedata:
-	if (ret->xp_ltaddr.buf != NULL)
+	if (ret->xp_ltaddr.buf != NULL) {
 		mem_free(ret->xp_ltaddr.buf, rep->xp_ltaddr.maxlen);
-
+		ret->xp_ltaddr.buf = NULL;
+	}
 	return NULL;
 }
 
-- 
1.8.3.1