From 3cba89e6f8147348a5cbafbb3723f7670bf8bf7a Mon Sep 17 00:00:00 2001
From: Takanori Watanabe <takawata@FreeBSD.org>
Date: Thu, 2 Apr 2020 09:15:31 +0000
Subject: [PATCH] Fix mbuf handling in le advertize  packet processing.

Submitted by: Marc Veldman <marc at bumblingdork.com>
---
 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netgraph/bluetooth/hci/ng_hci_evnt.c b/sys/netgraph/bluetooth/hci/ng_hci_evnt.c
index b0dae0e18ecf..5b1916c8ece0 100644
--- a/sys/netgraph/bluetooth/hci/ng_hci_evnt.c
+++ b/sys/netgraph/bluetooth/hci/ng_hci_evnt.c
@@ -381,17 +381,20 @@ le_advertizing_report(ng_hci_unit_p unit, struct mbuf *event)
 	ng_hci_neighbor_p		 n = NULL;
 	bdaddr_t			 bdaddr;
 	int				 error = 0;
+	int				 num_reports = 0;
 	u_int8_t event_type;
 	u_int8_t addr_type;
-
+	
 	NG_HCI_M_PULLUP(event, sizeof(*ep));
 	if (event == NULL)
 		return (ENOBUFS);
 
 	ep = mtod(event, ng_hci_le_advertising_report_ep *);
+	num_reports = ep->num_reports;
 	m_adj(event, sizeof(*ep));
-
-	for (; ep->num_reports > 0; ep->num_reports --) {
+	ep = NULL;
+	
+	for (; num_reports > 0; num_reports --) {
 		/* Get remote unit address */
 		NG_HCI_M_PULLUP(event, sizeof(u_int8_t));
 		event_type = *mtod(event, u_int8_t *);