From 12804eb119b0695528fba9ba0cea01d4bb790f8e Mon Sep 17 00:00:00 2001
From: David Lesaffre <david.lesaffre@gmail.com>
Date: Wed, 23 Jan 2013 14:25:33 +0100
Subject: [PATCH] prevent read in freed memory

---
 channels/serial/client/serial_main.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/channels/serial/client/serial_main.c b/channels/serial/client/serial_main.c
index 83694bdee..71eefe61d 100644
--- a/channels/serial/client/serial_main.c
+++ b/channels/serial/client/serial_main.c
@@ -570,6 +570,7 @@ static void __serial_check_fds(SERIAL_DEVICE* serial)
 	IRP* prev;
 	SERIAL_TTY* tty;
 	UINT32 result = 0;
+	BOOL irp_completed = FALSE;
 
 	memset(&serial->tv, 0, sizeof(struct timeval));
 	tty = serial->tty;
@@ -588,6 +589,7 @@ static void __serial_check_fds(SERIAL_DEVICE* serial)
 				{
 					irp->IoStatus = STATUS_SUCCESS;
 					serial_process_irp_read(serial, irp);
+					irp_completed = TRUE;
 				}
 				break;
 
@@ -596,6 +598,7 @@ static void __serial_check_fds(SERIAL_DEVICE* serial)
 				{
 					irp->IoStatus = STATUS_SUCCESS;
 					serial_process_irp_write(serial, irp);
+					irp_completed = TRUE;
 				}
 				break;
 
@@ -607,6 +610,7 @@ static void __serial_check_fds(SERIAL_DEVICE* serial)
 					irp->IoStatus = STATUS_SUCCESS;
 					stream_write_UINT32(irp->output, result);
 					irp->Complete(irp);
+					irp_completed = TRUE;
 				}
 				break;
 
@@ -618,7 +622,7 @@ static void __serial_check_fds(SERIAL_DEVICE* serial)
 		prev = irp;
 		irp = (IRP*) list_next(serial->pending_irps, irp);
 
-		if (prev->IoStatus == STATUS_SUCCESS)
+		if (irp_completed || prev->IoStatus == STATUS_SUCCESS)
 		{
 			list_remove(serial->pending_irps, prev);
 			SetEvent(serial->in_event);