From 7fe0fee3eb948182a252b31ed8c3acf4e9d6d74b Mon Sep 17 00:00:00 2001
From: ae <ae@FreeBSD.org>
Date: Thu, 19 Mar 2015 12:49:55 +0000
Subject: MFC r279910:   Reset mbuf pointer to NULL in fastroute case to
 indicate that mbuf was   consumed by filter. This fixes several panics due to
 accessing to mbuf   after free.

---
 sys/netpfil/pf/pf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index d3e6598..302771d 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5440,6 +5440,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 			PF_STATE_UNLOCK(s);
 		m0->m_flags |= M_SKIP_FIREWALL;
 		ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
+		*m = NULL;
 		return;
 	}
 
-- 
cgit v1.1