From fe3d5d542d867a1d4da331035a60403bf7289998 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Wed, 30 Mar 2016 17:38:13 +0100
Subject: char-device: Avoid use-after-free

Reset pointer after freeing the structure pointing to it.

Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
---
 server/char-device.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/char-device.c b/server/char-device.c
index 6704678c..53bfe823 100644
--- a/server/char-device.c
+++ b/server/char-device.c
@@ -211,6 +211,7 @@ static void spice_char_device_client_free(SpiceCharDeviceState *dev,
 
     if (dev_client->wait_for_tokens_timer) {
         reds_core_timer_remove(dev->priv->reds, dev_client->wait_for_tokens_timer);
+        dev_client->wait_for_tokens_timer = NULL;
     }
 
     spice_char_device_client_send_queue_free(dev, dev_client);
-- 
cgit v1.2.3