From d0e6c546a23f0f65006eacf515ba4c36d70a8ed0 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Wed, 21 Mar 2012 08:43:38 +0000
Subject: [PATCH] in6_pcblookup_local() still can return a pcb with NULL
 inp_socket. To avoid panic, do not dereference inp_socket, but obtain reuse
 port option from inp_flags2, like this is done after next call to
 in_pcblookup_local() a few lines down below.

Submitted by:	rwatson
---
 sys/netinet6/in6_pcb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 8f829635cdcf..8ae5988a61d1 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -245,8 +245,8 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr *nam,
 				if (tw == NULL ||
 				    (reuseport & tw->tw_so_options) == 0)
 					return (EADDRINUSE);
-			} else if (t && (reuseport & t->inp_socket->so_options)
-			    == 0) {
+			} else if (t && (reuseport == 0 ||
+			    (t->inp_flags2 & INP_REUSEPORT) == 0)) {
 				return (EADDRINUSE);
 			}
 #ifdef INET