In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when iterating over the next IPv6 options the kernel can free that mbuf, meaning the dereferences of 'finaldst' hit a freed buffer.
Note that this is triggerable without specific conditions, over just ICMPv6. Maxime _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
