Date: Tue, 16 Dec 2008 00:16:51 +0000 (UTC) From: Kip Macy <kmacy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r186147 - head/sys/netinet6 Message-ID: <200812160016.mBG0GpXD020710@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kmacy Date: Tue Dec 16 00:16:51 2008 New Revision: 186147 URL: http://svn.freebsd.org/changeset/base/186147 Log: fix two use after frees in nd6_cache_lladdr caused by last minute unlock shuffling Modified: head/sys/netinet6/nd6.c Modified: head/sys/netinet6/nd6.c ============================================================================== --- head/sys/netinet6/nd6.c Tue Dec 16 00:08:51 2008 (r186146) +++ head/sys/netinet6/nd6.c Tue Dec 16 00:16:51 2008 (r186147) @@ -1405,6 +1405,7 @@ nd6_cache_lladdr(struct ifnet *ifp, stru int llchange; int flags = 0; int newstate = 0; + uint16_t router; struct sockaddr_in6 sin6; struct mbuf *chain = NULL; @@ -1599,11 +1600,14 @@ nd6_cache_lladdr(struct ifnet *ifp, stru } if (ln) { + int static_route = (ln->la_flags & LLE_STATIC); + router = ln->ln_router; + if (flags & ND6_EXCLUSIVE) LLE_WUNLOCK(ln); else LLE_RUNLOCK(ln); - if (ln->la_flags & LLE_STATIC) + if (static_route) ln = NULL; } if (chain) @@ -1624,7 +1628,7 @@ nd6_cache_lladdr(struct ifnet *ifp, stru * for those are not autoconfigured hosts, we explicitly avoid such * cases for safety. */ - if (do_update && ln->ln_router && !V_ip6_forwarding && V_ip6_accept_rtadv) { + if (do_update && router && !V_ip6_forwarding && V_ip6_accept_rtadv) { /* * guaranteed recursion */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812160016.mBG0GpXD020710>