From 9c0fda722d975e3e9d5edd323eb1b75d283402cb Mon Sep 17 00:00:00 2001 From: Hajimu UMEMOTO Date: Sun, 27 Feb 2005 18:57:10 +0000 Subject: [PATCH] icmp6_notify_error uses IP6_EXTHDR_CHECK, which in turn calls m_pullup. icmp6_notify_error continued to use the old pointer, which after the m_pullup is not suitable as a packet header any longer (see m_move_pkthdr). and this is what causes the kernel panic in sbappendaddr later on. PR: kern/77934 Submitted by: Gerd Rausch MFC after: 2 days --- sys/netinet6/icmp6.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index b289ab9a085c..4f628253f495 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -133,7 +133,7 @@ static int ni6_addrs __P((struct icmp6_nodeinfo *, struct mbuf *, struct ifnet **, char *)); static int ni6_store_addrs __P((struct icmp6_nodeinfo *, struct icmp6_nodeinfo *, struct ifnet *, int)); -static int icmp6_notify_error __P((struct mbuf *, int, int, int)); +static int icmp6_notify_error __P((struct mbuf **, int, int, int)); #ifdef COMPAT_RFC1885 static struct route_in6 icmp6_reflect_rt; @@ -819,7 +819,7 @@ icmp6_input(mp, offp, proto) break; } deliver: - if (icmp6_notify_error(m, off, icmp6len, code)) { + if (icmp6_notify_error(&m, off, icmp6len, code)) { /* In this case, m should've been freed. */ return (IPPROTO_DONE); } @@ -845,10 +845,11 @@ icmp6_input(mp, offp, proto) } static int -icmp6_notify_error(m, off, icmp6len, code) - struct mbuf *m; +icmp6_notify_error(mp, off, icmp6len, code) + struct mbuf **mp; int off, icmp6len, code; { + struct mbuf *m = *mp; struct icmp6_hdr *icmp6; struct ip6_hdr *eip6; u_int32_t notifymtu; @@ -1089,6 +1090,7 @@ icmp6_notify_error(m, off, icmp6len, code) &ip6cp); } } + *mp = m; return (0); freeit: