From d7ae37140ad11dc12ff3ec9cbd4fb048ca3d095b Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Fri, 30 Sep 2011 18:20:16 +0000 Subject: [PATCH] Fix an obvious bug from r186196 shadowing a variable, not correctly appending the new mbuf to the chain reference but possibly causing an mbuf nextpkt loop leading to a memory used after handoff (or having been freed) and leaking an mbuf here. Reviewed by: rwatson, brooks MFC after: 3 days --- sys/netinet6/nd6.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 2b51e4379b3..da06563acdc 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -2042,14 +2042,15 @@ nd6_output_lle(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m0, if (*chain == NULL) *chain = m; else { - struct mbuf *m = *chain; + struct mbuf *mb; /* * append mbuf to end of deferred chain */ - while (m->m_nextpkt != NULL) - m = m->m_nextpkt; - m->m_nextpkt = m; + mb = *chain; + while (mb->m_nextpkt != NULL) + mb = mb->m_nextpkt; + mb->m_nextpkt = m; } return (error); }