From a844d49cc6fb0c65cebd17b701418cf785624d69 Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Wed, 22 Jun 2016 11:29:21 +0000
Subject: [PATCH] Fix the NULL pointer dereference for unresolved link layer
 entries in the netinet6 code. Copy link layer address only when corresponding
 entry has LLE_VALID flag.

PR:		210379
Approved by:	re (kib)
---
 sys/netinet6/in6.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index 1279d31f593..419178243e3 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -2322,10 +2322,16 @@ in6_lltable_dump_entry(struct lltable *llt, struct llentry *lle,
 			sdl = &ndpc.sdl;
 			sdl->sdl_family = AF_LINK;
 			sdl->sdl_len = sizeof(*sdl);
-			sdl->sdl_alen = ifp->if_addrlen;
 			sdl->sdl_index = ifp->if_index;
 			sdl->sdl_type = ifp->if_type;
-			bcopy(lle->ll_addr, LLADDR(sdl), ifp->if_addrlen);
+			if ((lle->la_flags & LLE_VALID) == LLE_VALID) {
+				sdl->sdl_alen = ifp->if_addrlen;
+				bcopy(lle->ll_addr, LLADDR(sdl),
+				    ifp->if_addrlen);
+			} else {
+				sdl->sdl_alen = 0;
+				bzero(LLADDR(sdl), ifp->if_addrlen);
+			}
 			if (lle->la_expire != 0)
 				ndpc.rtm.rtm_rmx.rmx_expire = lle->la_expire +
 				    lle->lle_remtime / hz +