Fix a bug introduced in 1.11 (and also MFCd to stable AND the security branch)

that causes a machine to panic when the kernel PPP / DEFLATE code is used.
1.11 moved a ZFREE to a point after the structural members were clobbered
by stores into a union'd structure.

This commit fixes the bug and adds a big whopping comment to make sure
the code isn't 'cleaned up' again :-)

Ian Dowse came up with the same patch independantly 68 seconds before I
did, talk about Karma!

I would also like to thank Eugene Grosbein for marathon work in tracking the
problem down by udpating his -stable based on date over and over again
to close in on the commit that caused his crashes.

PR:		kern/35969
Reviewed by:	Ian Dowse <iedowse@maths.tcd.ie>
X-MFC after:	 immediately

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/net/zlib.c b/sys/net/zlib.c
index bf1f72d..feef531 100644
--- a/sys/net/zlib.c
+++ b/sys/net/zlib.c
@@ -3951,11 +3951,15 @@ int r;
           r = Z_MEM_ERROR;
           LEAVE
         }
+	/*
+	 * this ZFREE must occur *BEFORE* we mess with sub.decode, because
+	 * sub.trees is union'd with sub.decode.
+	 */
+        ZFREE(z, s->sub.trees.blens);
         s->sub.decode.codes = c;
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
       }
-      ZFREE(z, s->sub.trees.blens);
       s->mode = CODES;
     case CODES:
       UPDATE