Date: Mon, 13 Apr 2015 01:55:43 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r281483 - head/sys/netinet6 Message-ID: <201504130155.t3D1thVR052696@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Mon Apr 13 01:55:42 2015 New Revision: 281483 URL: https://svnweb.freebsd.org/changeset/base/281483 Log: Fix a possible refcount leak in regen_tmpaddr(). public_ifa6 may be set to NULL after taking a reference to a previous address list element. Instead, only take the reference after leaving the loop but before releasing the address list lock. Differential Revision: https://reviews.freebsd.org/D2253 Reviewed by: ae MFC after: 2 weeks Modified: head/sys/netinet6/nd6.c Modified: head/sys/netinet6/nd6.c ============================================================================== --- head/sys/netinet6/nd6.c Mon Apr 13 01:42:24 2015 (r281482) +++ head/sys/netinet6/nd6.c Mon Apr 13 01:55:42 2015 (r281483) @@ -765,11 +765,10 @@ regen_tmpaddr(struct in6_ifaddr *ia6) * address with the prefix. */ if (!IFA6_IS_DEPRECATED(it6)) - public_ifa6 = it6; - - if (public_ifa6 != NULL) - ifa_ref(&public_ifa6->ia_ifa); + public_ifa6 = it6; } + if (public_ifa6 != NULL) + ifa_ref(&public_ifa6->ia_ifa); IF_ADDR_RUNLOCK(ifp); if (public_ifa6 != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504130155.t3D1thVR052696>