From owner-svn-src-head@FreeBSD.ORG Tue Dec 16 00:16:51 2008 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA3641065679; Tue, 16 Dec 2008 00:16:51 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A6FB98FC13; Tue, 16 Dec 2008 00:16:51 +0000 (UTC) (envelope-from kmacy@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id mBG0Gp6G020711; Tue, 16 Dec 2008 00:16:51 GMT (envelope-from kmacy@svn.freebsd.org) Received: (from kmacy@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id mBG0GpXD020710; Tue, 16 Dec 2008 00:16:51 GMT (envelope-from kmacy@svn.freebsd.org) Message-Id: <200812160016.mBG0GpXD020710@svn.freebsd.org> From: Kip Macy Date: Tue, 16 Dec 2008 00:16:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r186147 - head/sys/netinet6 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2008 00:16:51 -0000 Author: kmacy Date: Tue Dec 16 00:16:51 2008 New Revision: 186147 URL: http://svn.freebsd.org/changeset/base/186147 Log: fix two use after frees in nd6_cache_lladdr caused by last minute unlock shuffling Modified: head/sys/netinet6/nd6.c Modified: head/sys/netinet6/nd6.c ============================================================================== --- head/sys/netinet6/nd6.c Tue Dec 16 00:08:51 2008 (r186146) +++ head/sys/netinet6/nd6.c Tue Dec 16 00:16:51 2008 (r186147) @@ -1405,6 +1405,7 @@ nd6_cache_lladdr(struct ifnet *ifp, stru int llchange; int flags = 0; int newstate = 0; + uint16_t router; struct sockaddr_in6 sin6; struct mbuf *chain = NULL; @@ -1599,11 +1600,14 @@ nd6_cache_lladdr(struct ifnet *ifp, stru } if (ln) { + int static_route = (ln->la_flags & LLE_STATIC); + router = ln->ln_router; + if (flags & ND6_EXCLUSIVE) LLE_WUNLOCK(ln); else LLE_RUNLOCK(ln); - if (ln->la_flags & LLE_STATIC) + if (static_route) ln = NULL; } if (chain) @@ -1624,7 +1628,7 @@ nd6_cache_lladdr(struct ifnet *ifp, stru * for those are not autoconfigured hosts, we explicitly avoid such * cases for safety. */ - if (do_update && ln->ln_router && !V_ip6_forwarding && V_ip6_accept_rtadv) { + if (do_update && router && !V_ip6_forwarding && V_ip6_accept_rtadv) { /* * guaranteed recursion */