From b60abe1c3b32b8f3020e77fdad6f2207edaff3a2 Mon Sep 17 00:00:00 2001
From: Antti Yli-Tokola <antti.yli-tokola@arm.com>
Date: Fri, 1 Jun 2018 10:04:10 +0300
Subject: [PATCH] Update mbed-coap to version 4.4.4

Fixes one error: IOTCLT-2638 Hardfault during reconnection retry with Thread
---
 features/frameworks/mbed-coap/CHANGELOG.md    |  6 ++++++
 features/frameworks/mbed-coap/module.json     |  2 +-
 .../mbed-coap/source/sn_coap_protocol.c       | 21 +++++++------------
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/features/frameworks/mbed-coap/CHANGELOG.md b/features/frameworks/mbed-coap/CHANGELOG.md
index 7d8c8b0645..abecac6cef 100644
--- a/features/frameworks/mbed-coap/CHANGELOG.md
+++ b/features/frameworks/mbed-coap/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## [v4.4.4](https://github.com/ARMmbed/mbed-coap/releases/tag/v4.4.4) 
+**Closed issues:**
+ - IOTCLT-2638 [GitHub] hardfault during reconnection retry with Thread
+
+-[Full Changelog](https://github.com/ARMmbed/mbed-coap/compare/v4.4.3...v4.4.4)
+
 ## [v4.4.3](https://github.com/ARMmbed/mbed-coap/releases/tag/v4.4.3) 
 **Closed issues:**
  - IOTCLT-2506 [GitHub] Cannot set registration time if server does not use max age option
diff --git a/features/frameworks/mbed-coap/module.json b/features/frameworks/mbed-coap/module.json
index 8d94ae56b0..8a4b329621 100644
--- a/features/frameworks/mbed-coap/module.json
+++ b/features/frameworks/mbed-coap/module.json
@@ -1,6 +1,6 @@
 {
   "name": "mbed-coap",
-  "version": "4.4.3",
+  "version": "4.4.4",
   "description": "COAP library",
   "keywords": [
     "coap",
diff --git a/features/frameworks/mbed-coap/source/sn_coap_protocol.c b/features/frameworks/mbed-coap/source/sn_coap_protocol.c
index d2df0acd28..d73f70b4fc 100644
--- a/features/frameworks/mbed-coap/source/sn_coap_protocol.c
+++ b/features/frameworks/mbed-coap/source/sn_coap_protocol.c
@@ -265,12 +265,6 @@ void sn_coap_protocol_clear_sent_blockwise_messages(struct coap_s *handle)
 
     /* Loop all stored Blockwise messages in Linked list */
     ns_list_foreach_safe(coap_blockwise_msg_s, removed_blocwise_msg_ptr, &handle->linked_list_blockwise_sent_msgs) {
-        if (removed_blocwise_msg_ptr->coap_msg_ptr) {
-            handle->sn_coap_protocol_free(removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr);
-            removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr = 0;
-            sn_coap_parser_release_allocated_coap_msg_mem(handle, removed_blocwise_msg_ptr->coap_msg_ptr);
-            removed_blocwise_msg_ptr->coap_msg_ptr = 0;
-        }
         sn_coap_protocol_linked_list_blockwise_msg_remove(handle, removed_blocwise_msg_ptr);
     }
 #endif
@@ -1472,9 +1466,12 @@ static void sn_coap_protocol_handle_blockwise_timout(struct coap_s *handle)
     ns_list_foreach_safe(coap_blockwise_msg_s, removed_blocwise_msg_ptr, &handle->linked_list_blockwise_sent_msgs) {
         if ((handle->system_time - removed_blocwise_msg_ptr->timestamp)  > SN_COAP_BLOCKWISE_MAX_TIME_DATA_STORED) {
 
+            // Item must be removed from the list before calling the rx_callback function.
+            // Callback could actually clear the list and free the item and cause a use after free when callback returns.
+            ns_list_remove(&handle->linked_list_blockwise_sent_msgs, removed_blocwise_msg_ptr);
+
             /* * * * This messages has timed out, remove it from Linked list * * * */
             if( removed_blocwise_msg_ptr->coap_msg_ptr ){
-
                 if (handle->sn_coap_rx_callback) {
                     /* Notify the application about the time out */
                     removed_blocwise_msg_ptr->coap_msg_ptr->coap_status = COAP_STATUS_BUILDER_BLOCK_SENDING_FAILED;
@@ -1482,17 +1479,15 @@ static void sn_coap_protocol_handle_blockwise_timout(struct coap_s *handle)
                     handle->sn_coap_rx_callback(removed_blocwise_msg_ptr->coap_msg_ptr, NULL, removed_blocwise_msg_ptr->param);
                 }
 
-                if(removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr){
-                    handle->sn_coap_protocol_free(removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr);
-                    removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr = 0;
-                }
+                handle->sn_coap_protocol_free(removed_blocwise_msg_ptr->coap_msg_ptr->payload_ptr);
                 sn_coap_parser_release_allocated_coap_msg_mem(handle, removed_blocwise_msg_ptr->coap_msg_ptr);
-                removed_blocwise_msg_ptr->coap_msg_ptr = 0;
             }
-            sn_coap_protocol_linked_list_blockwise_msg_remove(handle, removed_blocwise_msg_ptr);
+
+            handle->sn_coap_protocol_free(removed_blocwise_msg_ptr);
         }
     }
 
+
     /* Loop all incoming Blockwise messages */
     ns_list_foreach_safe(coap_blockwise_payload_s, removed_blocwise_payload_ptr, &handle->linked_list_blockwise_received_payloads) {
         if ((handle->system_time - removed_blocwise_payload_ptr->timestamp)  > SN_COAP_BLOCKWISE_MAX_TIME_DATA_STORED) {