(Probably I have to make a PR...,)
The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
has the following code fragment:
rip6_output()
...
freectl:
if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
RTFREE(optp->ip6po_route.ro_rt);
if (control) {
if (optp == &opt)
ip6_clearpktopts(optp, 0, -1);
Thus, it can call RTFREE inside the function. However,
ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:
ip6_clearpktopts()
...
if (pktopt->ip6po_route.ro_rt) {
RTFREE(pktopt->ip6po_route.ro_rt);
pktopt->ip6po_route.ro_rt = NULL;
}
Consequently, optp->ip6po_route.ro_rt can be freed two times,
unexpectedly.
Here is a patch to fix the problem. Please review it, and merge it
to the repository (hopefully before 4.4-RELEASE.) if acceptable.
Thanks,
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
*** raw_ip6.c.orig Tue Aug 7 21:42:30 2001
--- raw_ip6.c Tue Aug 7 21:42:36 2001
***************
*** 472,479 ****
m_freem(m);
freectl:
- if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
- RTFREE(optp->ip6po_route.ro_rt);
if (control) {
if (optp == &opt)
ip6_clearpktopts(optp, 0, -1);
--- 472,477 ----
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
