Received: by mail.netbsd.org (Postfix, from userid 0) id E4EBF63B10C; Fri, 16 Jul 2010 19:40:18 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 53E3663B10B for ; Fri, 16 Jul 2010 19:40:11 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 2B1B9175DD; Fri, 16 Jul 2010 19:40:11 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain Date: Fri, 16 Jul 2010 19:40:11 +0000 From: Jeff Rizzo Subject: CVS commit: [netbsd-4-0] src/sys/netinet6 To: source-changes@NetBSD.org X-Mailer: log_accum Message-Id: <20100716194011.2B1B9175DD@cvs.netbsd.org> Sender: source-changes-owner@NetBSD.org List-Id: source-changes.NetBSD.org Precedence: list Reply-To: source-changes-d@NetBSD.org Mail-Reply-To: Jeff Rizzo Mail-Followup-To: source-changes-d@NetBSD.org Module Name: src Committed By: riz Date: Fri Jul 16 19:40:11 UTC 2010 Modified Files: src/sys/netinet6 [netbsd-4-0]: udp6_output.c Log Message: Pull up following revision(s) (requested by dyoung in ticket #1397): sys/netinet6/udp6_output.c: revision 1.41 Under some circumstances, udp6_output() would call ip6_clearpktopts() with an uninitialized struct ip6_pktopts on the stack, opt. ip6_clearpktopts(&opt, ...) could dereference dangling pointers, leading to memory corruption or a crash. Now, udp6_output() calls ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to Clement LECIGNE for reporting this bug. Fix a potential memory leak: it is udp6_output()'s responsibility to free its mbuf arguments on error. In the unlikely event that sa6_embedscope() failed, udp6_output() would not free its mbuf arguments. I will ask for this to be pulled up to -4, -5, and -5-0. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.14.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.