From c17a946594ca08caeb47a12cdd4cd75df6fe74ff Mon Sep 17 00:00:00 2001
From: Matthieu Boutier <boutier@pps.univ-paris-diderot.fr>
Date: Sun, 17 Apr 2016 11:25:13 +0200
Subject: [PATCH] Fix route->channels double-free corruption.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The code assumes that route->channels is NULL when route->channels_len
is 0, such that free(route->channels) will work.

Think about this scenario:
  update(r, some channels)  # route->channels = malloc(…)
  update(r, no channel)  # free(route->channels)
  update(r, no channel)  # free(route->channels)

Thanks to Dave Taht for pointing the issue.
---
 route.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/route.c b/route.c
index 0b55c8c..1a8d59f 100644
--- a/route.c
+++ b/route.c
@@ -918,6 +918,7 @@ update_route(const unsigned char *id,
 
         if(channels_len == 0) {
             free(route->channels);
+            route->channels = NULL;
             route->channels_len = 0;
         } else {
             if(channels_len != route->channels_len) {
-- 
2.6.4 (Apple Git-63)