[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS: cvs.openbsd.org: src
- To: source-changes_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: CVS: cvs.openbsd.org: src
- From: Brad Smith <brad_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
- Date: Sat, 22 Oct 2005 00:38:55 -0600 (MDT)
Module name: src
Changes by: brad_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org 2005/10/22 00:38:54
sys/netinet6 : icmp6.c
In icmp6_redirect_output(), sip6 is initialised to point to the data area of
m0. But m0 may be freed later, so trying to use sip6 at the end of this
function is wrong. My guess is that we want to reference the data area
of m (the mbuf about to be send) instead at this point.
Fix a panic on Xen (where a data area of a mbuf may be unmapped when the
mbuf is freed), and probably potential data/pool corruption in other cases.
>From bouyer NetBSD