From 8cfbd2995ba5c8dce52f5b31f85b926a6d9eaa0e Mon Sep 17 00:00:00 2001
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 14 Mar 2008 11:55:04 +0000
Subject: [PATCH] Correct reference counting on the SP for outgoing IPv6 IPsec
 connections.

PR:		121374
Reported by:	Cyrus Rahman (crahman gmail.com)
Tested by:	Cyrus Rahman (crahman gmail.com)
MFC after:	5 days
---
 sys/netinet6/ip6_ipsec.c  | 8 +-------
 sys/netinet6/ip6_output.c | 4 ++++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index 5d0dea56cea0..cb012c9913c7 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -257,7 +257,7 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
 				 * NB: null pointer to avoid free at
 				 *     done: below.
 				 */
-				KEY_FREESP(sp), sp = NULL;
+				KEY_FREESP(sp), *sp = NULL;
 				/* XXX splx(s); */
 				goto done;
 			}
@@ -298,16 +298,10 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
 		}
 	}
 done:
-	if (sp != NULL)
-		if (*sp != NULL)
-			KEY_FREESP(sp);
 	return 0;
 do_ipsec:
 	return -1;
 bad:
-	if (sp != NULL)
-		if (*sp != NULL)
-			KEY_FREESP(sp);
 	return 1;
 #endif /* IPSEC */
 	return 0;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 5755a1f196a4..2336e41e0b70 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1082,6 +1082,10 @@ skip_ipsec2:;
 	} else if (ro_pmtu == &ip6route && ro_pmtu->ro_rt) {
 		RTFREE(ro_pmtu->ro_rt);
 	}
+#ifdef IPSEC
+	if (sp != NULL)
+		KEY_FREESP(&sp);
+#endif
 
 	return (error);