diff options
author | bz <bz@FreeBSD.org> | 2011-09-30 18:20:16 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2011-09-30 18:20:16 +0000 |
commit | 772dd0b1c32524d83e5a4042a3a4f6bf946f45a8 (patch) | |
tree | 2ee10d1734b93f824263d70bcbad1101d5a723e6 /sys | |
parent | 5f2fef9093d40be39fb3738dd1c13e4f073f0243 (diff) | |
download | FreeBSD-src-772dd0b1c32524d83e5a4042a3a4f6bf946f45a8.zip FreeBSD-src-772dd0b1c32524d83e5a4042a3a4f6bf946f45a8.tar.gz |
Fix an obvious bug from r186196 shadowing a variable, not correctly
appending the new mbuf to the chain reference but possibly causing an mbuf
nextpkt loop leading to a memory used after handoff (or having been freed)
and leaking an mbuf here.
Reviewed by: rwatson, brooks
MFC after: 3 days
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet6/nd6.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 2b51e43..da06563 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -2042,14 +2042,15 @@ nd6_output_lle(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m0, if (*chain == NULL) *chain = m; else { - struct mbuf *m = *chain; + struct mbuf *mb; /* * append mbuf to end of deferred chain */ - while (m->m_nextpkt != NULL) - m = m->m_nextpkt; - m->m_nextpkt = m; + mb = *chain; + while (mb->m_nextpkt != NULL) + mb = mb->m_nextpkt; + mb->m_nextpkt = m; } return (error); } |