[src/netbsd-2-0]: src/sys/netinet6 Pull up following revision(s) (requested b...

[riz <riz%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e9fa7ee8b379
branches:  netbsd-2-0
changeset: 564877:e9fa7ee8b379
user:      riz <riz%NetBSD.org@localhost>
date:      Fri Oct 28 22:58:43 2005 +0000

description:
Pull up following revision(s) (requested by bouyer in ticket #5938):
        sys/netinet6/icmp6.c: revision 1.111
In icmp6_redirect_output(), sip6 is initialised to point to the data area of
m0. But m0 may be freed later, so trying to use sip6 at the end of this
function is wrong. My guess is that we want to reference the data area
of m (the mbuf about to be send) instead at this point.
Fix a panic on Xen (where a data area of a mbuf may be unmapped when the
mbuf is freed), and probably potential data/pool corruption in other cases.

diffstat:

 sys/netinet6/icmp6.c |  5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diffs (26 lines):

diff -r faaa0a69a57b -r e9fa7ee8b379 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c      Fri Oct 28 22:52:23 2005 +0000
+++ b/sys/netinet6/icmp6.c      Fri Oct 28 22:58:43 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: icmp6.c,v 1.106.2.1 2004/05/28 07:24:47 tron Exp $     */
+/*     $NetBSD: icmp6.c,v 1.106.2.2 2005/10/28 22:58:43 riz Exp $      */
 /*     $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.106.2.1 2004/05/28 07:24:47 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.106.2.2 2005/10/28 22:58:43 riz Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -2620,6 +2620,7 @@
                m0 = NULL;
        }
 
+       sip6 = mtod(m, struct ip6_hdr *);
        if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_src))
                sip6->ip6_src.s6_addr16[1] = 0;
        if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_dst))