From 5e640411f53074450e57ef923cab742925c7ac29 Mon Sep 17 00:00:00 2001
From: Oskar Nordquist <oskar.nordquist@crlsweden.com>
Date: Tue, 21 Oct 2014 15:25:52 +0200
Subject: [PATCH] core/net/rime/ipolite: stop ctimer and reset queuebuf pointer
 when canceling old send

Ipolite is used by netflood and route-discovery modules among others. If a route request is yet to be re-broadcasted and a local route discovery is started (interval == 0), the previous queuebuf used is freed but ctimer and queuebuf pointer is left unchanged. This causes corrupt route requests to be sent, invalid routing tables to be formed, memcmp() on NULL pointer on receive, and other undefined behavior.

Signed-off-by: Oskar Nordquist <oskar.nordquist@crlsweden.com>
---
 core/net/rime/ipolite.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/net/rime/ipolite.c b/core/net/rime/ipolite.c
index 0ea19b160..3b0ced1ca 100644
--- a/core/net/rime/ipolite.c
+++ b/core/net/rime/ipolite.c
@@ -148,6 +148,8 @@ ipolite_send(struct ipolite_conn *c, clock_time_t interval, uint8_t hdrsize)
     PRINTF("%d.%d: ipolite_send: cancel old send\n",
 	   linkaddr_node_addr.u8[0],linkaddr_node_addr.u8[1]);
     queuebuf_free(c->q);
+    c->q = NULL;
+    ctimer_stop(&c->t);
   }
   c->dups = 0;
   c->hdrsize = hdrsize;