PR/45764, PR/45914

Part 1: nd6_purge can be called after dom_ifdetach, and if_afdata[AF_INET6] is going to be freed and point to garbage. Make sure we check for NULL, before taking the pointer offset. While I am here, add an M_ZERO.
2012-02-03 03:32:45 +00:00 · 2012-02-03 03:32:45 +00:00 · 6a74395ce6
parent 208455fc84
commit 6a74395ce6
1 changed files with 9 additions and 8 deletions
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@ -1,4 +1,4 @@
-/*	$NetBSD: nd6.c,v 1.140 2012/02/02 19:35:18 christos Exp $	*/
+/*	$NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $	*/
 /*	$KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $	*/

 /*
@ -31,7 +31,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.140 2012/02/02 19:35:18 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $");

 #include "opt_ipsec.h"

@ -163,8 +163,7 @@ nd6_ifattach(struct ifnet *ifp)
 {
 	struct nd_ifinfo *nd;

-	nd = (struct nd_ifinfo *)malloc(sizeof(*nd), M_IP6NDP, M_WAITOK);
-	memset(nd, 0, sizeof(*nd));
+	nd = (struct nd_ifinfo *)malloc(sizeof(*nd), M_IP6NDP, M_WAITOK|M_ZERO);

 	nd->initialized = 1;

@ -722,7 +721,6 @@ nd6_accepts_rtadv(const struct nd_ifinfo *ndi)
 void
 nd6_purge(struct ifnet *ifp)
 {
-	struct nd_ifinfo *ndi = ND_IFINFO(ifp);
 	struct llinfo_nd6 *ln, *nln;
 	struct nd_defrouter *dr, *ndr;
 	struct nd_prefix *pr, *npr;
@ -776,9 +774,12 @@ nd6_purge(struct ifnet *ifp)
 		nd6_setdefaultiface(0);

 	/* XXX: too restrictive? */
-	if (!ip6_forwarding && ndi && nd6_accepts_rtadv(ndi)) {
-		/* refresh default router list */
-		defrouter_select();
+	if (!ip6_forwarding && ifp->if_afdata[AF_INET6]) {
+		struct nd_ifinfo *ndi = ND_IFINFO(ifp);
+		if (ndi && nd6_accepts_rtadv(ndi)) {
+			/* refresh default router list */
+			defrouter_select();
+		}
 	}

 	/*