CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/09/14 14:47:33
Modified files:
sys/netinet6 : nd6_nbr.c
Log message:
Fix use after free in ND6 DAD timer.
In IPv6 neighbor discovery, the duplicate address detection code
could trigger a use after free. Kernel reported a data modifed on
NDP freelist panic. The offset pointed to timeout field of struct
dadq.
nd6_dad_stop() calls nd6_dad_stoptimer() and nd6_dad_destroy()
without waiting for the timer to run before freeing. As a quick
fix implement a reaper on the timeout queue.
While there remove an useless NULL check in nd6_dad_timer().
OK florian@
