summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2008-03-04 11:19:36 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2008-03-04 11:19:36 +0000
commit036ad88cea926585d79ee0c8c9c533d26c2a5584 (patch)
tree23ffee0352f760c9165d69f4929269c51f5ee667
parent37b19e13418e36b4c52d99a297f433839ed20f3f (diff)
fix use-after-free: pfxlist_onlink_check() might free rt_llinfo for
the current route, so make sure RTF_LLINFO is still set; fixes pr 5711; with krw@ and claudio@; ok jsing@
-rw-r--r--sys/netinet6/nd6_nbr.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c
index aaa5ceccab4..e9f5082d2b2 100644
--- a/sys/netinet6/nd6_nbr.c
+++ b/sys/netinet6/nd6_nbr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nd6_nbr.c,v 1.47 2008/02/05 22:57:31 mpf Exp $ */
+/* $OpenBSD: nd6_nbr.c,v 1.48 2008/03/04 11:19:35 markus Exp $ */
/* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */
/*
@@ -682,6 +682,8 @@ nd6_na_input(m, off, icmp6len)
* affect the status of associated prefixes..
*/
pfxlist_onlink_check();
+ if ((rt->rt_flags & RTF_LLINFO) == 0)
+ goto freeit; /* ln is gone */
}
} else {
int llchange;