From 24fdcd89ad7474e39c39b6ae22c234c6b0d5b40c Mon Sep 17 00:00:00 2001
From: dillon <dillon@FreeBSD.org>
Date: Wed, 20 Mar 2002 04:05:26 +0000
Subject: Fix a bug introduced in 1.11 (and also MFCd to stable AND the
 security branch) that causes a machine to panic when the kernel PPP / DEFLATE
 code is used. 1.11 moved a ZFREE to a point after the structural members were
 clobbered by stores into a union'd structure.

This commit fixes the bug and adds a big whopping comment to make sure
the code isn't 'cleaned up' again :-)

Ian Dowse came up with the same patch independantly 68 seconds before I
did, talk about Karma!

I would also like to thank Eugene Grosbein for marathon work in tracking the
problem down by udpating his -stable based on date over and over again
to close in on the commit that caused his crashes.

PR:		kern/35969
Reviewed by:	Ian Dowse <iedowse@maths.tcd.ie>
X-MFC after:	 immediately
---
 sys/net/zlib.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sys/net/zlib.c')

diff --git a/sys/net/zlib.c b/sys/net/zlib.c
index bf1f72d..feef531 100644
--- a/sys/net/zlib.c
+++ b/sys/net/zlib.c
@@ -3951,11 +3951,15 @@ int r;
           r = Z_MEM_ERROR;
           LEAVE
         }
+	/*
+	 * this ZFREE must occur *BEFORE* we mess with sub.decode, because
+	 * sub.trees is union'd with sub.decode.
+	 */
+        ZFREE(z, s->sub.trees.blens);
         s->sub.decode.codes = c;
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
       }
-      ZFREE(z, s->sub.trees.blens);
       s->mode = CODES;
     case CODES:
       UPDATE
-- 
cgit v1.1