Hi, >From NetBSD:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/udp6_output.c?rev=1.41&content-type=text/x-cvsweb-markup&only_with_tag=MAIN " Under some circumstances, udp6_output() would call ip6_clearpktopts() with an uninitialized struct ip6_pktopts on the stack, opt. ip6_clearpktopts(&opt, ...) could dereference dangling pointers, leading to memory corruption or a crash. Now, udp6_output() calls ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to Clement LECIGNE for reporting this bug." I checked openbsd source code and it seems that the issue is present as well. Tentative diff: Index: udp6_output.c =================================================================== RCS file: /cvs/src/sys/netinet6/udp6_output.c,v retrieving revision 1.19 diff -u -p -r1.19 udp6_output.c --- udp6_output.c 28 Mar 2013 16:45:16 -0000 1.19 +++ udp6_output.c 23 Aug 2013 19:30:36 -0000 @@ -119,7 +119,8 @@ udp6_output(struct in6pcb *in6p, struct struct in6_addr *laddr, *faddr; u_short fport; int error = 0; - struct ip6_pktopts *optp, opt; + struct ip6_pktopts *optp = NULL; + struct ip6_pktopts opt; int priv; int af, hlen; int flags; @@ -284,7 +285,8 @@ release: releaseopt: if (control) { - ip6_clearpktopts(&opt, -1); + if (optp == &opt) + ip6_clearpktopts(&opt, -1); m_freem(control); } return (error);
