From 77d396fd187c5446f75b0f4bba52fc1a720bb368 Mon Sep 17 00:00:00 2001
From: Maksim Yevmenkin <emax@FreeBSD.org>
Date: Mon, 4 Jun 2012 18:43:51 +0000
Subject: [PATCH] Plug more refcount leaks and possible NULL deref for
 interface address list.

Submitted by:	scottl@
MFC after:	3 days
---
 sys/netinet/tcp_input.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 292dd6b8e532..4d3234f55fdc 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -512,6 +512,8 @@ tcp6_input(struct mbuf **mp, int *offp, int proto)
 			    (caddr_t)&ip6->ip6_dst - (caddr_t)ip6);
 		return IPPROTO_DONE;
 	}
+	if (ia6)
+		ifa_free(&ia6->ia_ifa);
 
 	tcp_input(m, *offp);
 	return IPPROTO_DONE;
@@ -1240,7 +1242,8 @@ tcp_input(struct mbuf *m, int off0)
 				rstreason = BANDLIM_RST_OPENPORT;
 				goto dropwithreset;
 			}
-			ifa_free(&ia6->ia_ifa);
+			if (ia6)
+				ifa_free(&ia6->ia_ifa);
 		}
 #endif /* INET6 */
 		/*