From 67614765386899c412b0a632b179c23f6653778b Mon Sep 17 00:00:00 2001
From: gonzo <gonzo@FreeBSD.org>
Date: Sat, 19 Jul 2008 13:15:51 +0000
Subject: [PATCH] MFC r179971: In case of interface initialization failure
 remove struct in_ifaddr* from in_ifaddrhashtbl in in_ifinit because error
 handler in in_control removes entries only for AF_INET addresses. If
 in_ifinit is called for the cloned inteface that has just been created its
 address family is not AF_INET and therefor LIST_REMOVE is not called for
 respective LIST_INSERT_HEAD and freed entries remain in in_ifaddrhashtbl and
 lead to memory corruption.

PR:		kern/124384
MFC after:	3 weeks
---
 sys/netinet/in.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index 10275f2837d1..3ae2015833f0 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -715,6 +715,14 @@ in_ifinit(ifp, ia, sin, scrub)
 			if (ia->ia_addr.sin_family == AF_INET)
 				LIST_INSERT_HEAD(INADDR_HASH(
 				    ia->ia_addr.sin_addr.s_addr), ia, ia_hash);
+			else 
+				/* 
+				 * If oldaddr family is not AF_INET (e.g. 
+				 * interface has been just created) in_control 
+				 * does not call LIST_REMOVE, and we end up 
+				 * with bogus ia entries in hash
+				 */
+				LIST_REMOVE(ia, ia_hash);
 			return (error);
 		}
 	}