Module Name: src
Committed By: dyoung
Date: Thu Jul 15 23:46:55 UTC 2010
Modified Files:
src/sys/netinet6: udp6_output.c
Log Message:
Under some circumstances, udp6_output() would call ip6_clearpktopts()
with an uninitialized struct ip6_pktopts on the stack, opt.
ip6_clearpktopts(&opt, ...) could dereference dangling pointers,
leading to memory corruption or a crash. Now, udp6_output() calls
ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to
Clement LECIGNE for reporting this bug.
Fix a potential memory leak: it is udp6_output()'s responsibility
to free its mbuf arguments on error. In the unlikely event that
sa6_embedscope() failed, udp6_output() would not free its mbuf
arguments.
I will ask for this to be pulled up to -4, -5, and -5-0.
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/netinet6/udp6_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
