From 11479088c9977270202f073e48d0d3008c5e7ab6 Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@apple.com>
Date: Thu, 2 Feb 2023 16:33:03 -0500
Subject: [PATCH] Make sure we don't double-close exchanges in OTA if an
 exchange times out. (#24818)

Fixes https://github.com/project-chip/connectedhomeip/issues/24329
---
 src/app/clusters/ota-requestor/DefaultOTARequestor.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/app/clusters/ota-requestor/DefaultOTARequestor.h b/src/app/clusters/ota-requestor/DefaultOTARequestor.h
index 6cbe1629b96d24..e0e45c2709af2e 100644
--- a/src/app/clusters/ota-requestor/DefaultOTARequestor.h
+++ b/src/app/clusters/ota-requestor/DefaultOTARequestor.h
@@ -173,6 +173,12 @@ class DefaultOTARequestor : public OTARequestorInterface, public BDXDownloader::
         void OnResponseTimeout(chip::Messaging::ExchangeContext * ec) override
         {
             ChipLogError(BDX, "exchange timed out");
+            // Null out mExchangeCtx before calling OnDownloadTimeout, in case
+            // the downloader decides to call Reset() on us.  If we don't, we
+            // will end up closing the exchange from Reset and then the caller
+            // will close it _again_ (see API documentation for
+            // OnResponseTimeout), which will lead to refcount underflow.
+            mExchangeCtx = nullptr;
             if (mDownloader != nullptr)
             {
                 mDownloader->OnDownloadTimeout();