From 989124d0b9bdf3020263c9e51bec878bfe535714 Mon Sep 17 00:00:00 2001
From: Pavel Kirienko <pavel.kirienko@gmail.com>
Date: Sun, 30 Oct 2022 20:58:28 +0200
Subject: [PATCH] Fix 203 (#204)

* Fix #203

* Update the changelog
---
 README.md          | 4 ++++
 libcanard/canard.c | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 943b0f9..ff63751 100644
--- a/README.md
+++ b/README.md
@@ -240,6 +240,10 @@ If you find the examples to be unclear or incorrect, please, open a ticket.
   `CANARD_UAVCAN_SPECIFICATION_VERSION_MAJOR` -> `CANARD_CYPHAL_SPECIFICATION_VERSION_MAJOR`
   `CANARD_UAVCAN_SPECIFICATION_VERSION_MINOR` -> `CANARD_CYPHAL_SPECIFICATION_VERSION_MINOR`
 
+#### v3.0.1
+
+- Remove UB as described in [203](https://github.com/OpenCyphal/libcanard/issues/203).
+
 ### v2.0
 
 - Dedicated transmission queues per redundant CAN interface with depth limits.
diff --git a/libcanard/canard.c b/libcanard/canard.c
index e3095f8..950c1ef 100644
--- a/libcanard/canard.c
+++ b/libcanard/canard.c
@@ -410,7 +410,9 @@ CANARD_PRIVATE TxChain txGenerateMultiFrameChain(CanardInstance* const   ins,
         }
         else
         {
-            out.tail->base.next_in_transfer = &tqi->base;
+            // C std, 6.7.2.1.15: A pointer to a structure object <...> points to its initial member, and vice versa.
+            // Can't just read tqi->base because tqi may be NULL; https://github.com/OpenCyphal/libcanard/issues/203.
+            out.tail->base.next_in_transfer = (CanardTxQueueItem*) tqi;
         }
         out.tail = tqi;
         if (NULL == out.tail)