From owner-freebsd-bugs  Mon Aug  7 17:56:20 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.11/8.6.6) id RAA12122
          for bugs-outgoing; Mon, 7 Aug 1995 17:56:20 -0700
Received: from blob.best.net (blob.best.net [204.156.128.88])
          by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id RAA12115
          for <bugs@freebsd.org>; Mon, 7 Aug 1995 17:56:19 -0700
Received: (dillon@localhost) by blob.best.net (8.6.12/8.6.5) id RAA13312; Mon, 7 Aug 1995 17:56:18 -0700
Date: Mon, 7 Aug 1995 17:56:18 -0700
From: Matt Dillon <dillon@best.com>
Message-Id: <199508080056.RAA13312@blob.best.net>
To: bugs@freebsd.org
Cc: dima@blob.best.net
Subject: Bug in unp_detach()
Sender: bugs-owner@freebsd.org
Precedence: bulk

    In kern/uipc_usrreq.c, in unp_detach() the following two lines:

	    m_freem(unp->unp_addr);
	    (void) m_free(dtom(unp));

    are called BEFORE the sorflush() in the unp_rights conditional...
    basically.  The calls  should obivously go AFTER that conditional
    so the unp_addr/unp structures are not ripped out from under
    sorflush().

    (This caused a crash when I tried to use AF_LOCAL file descriptor
    passing.. in fact, it crashed about every time!).

					-Matt