icmp6_notify_error uses IP6_EXTHDR_CHECK, which in turn calls

m_pullup.  icmp6_notify_error continued to use the old pointer,
which after the m_pullup is not suitable as a packet header any
longer (see m_move_pkthdr).
and this is what causes the kernel panic in sbappendaddr later on.

PR:		kern/77934
Submitted by:	Gerd Rausch <gerd@juniper.net>
MFC after:	2 days

1 files changed, 6 insertions, 4 deletions

diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index b289ab9a085c..4f628253f495 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -133,7 +133,7 @@ static int ni6_addrs __P((struct icmp6_nodeinfo *, struct mbuf *,
 			  struct ifnet **, char *));
 static int ni6_store_addrs __P((struct icmp6_nodeinfo *, struct icmp6_nodeinfo *,
 				struct ifnet *, int));
-static int icmp6_notify_error __P((struct mbuf *, int, int, int));
+static int icmp6_notify_error __P((struct mbuf **, int, int, int));
 
 #ifdef COMPAT_RFC1885
 static struct route_in6 icmp6_reflect_rt;
@@ -819,7 +819,7 @@ icmp6_input(mp, offp, proto)
 			break;
 		}
 	deliver:
-		if (icmp6_notify_error(m, off, icmp6len, code)) {
+		if (icmp6_notify_error(&m, off, icmp6len, code)) {
 			/* In this case, m should've been freed. */
 			return (IPPROTO_DONE);
 		}
@@ -845,10 +845,11 @@ icmp6_input(mp, offp, proto)
 }
 
 static int
-icmp6_notify_error(m, off, icmp6len, code)
-	struct mbuf *m;
+icmp6_notify_error(mp, off, icmp6len, code)
+	struct mbuf **mp;
 	int off, icmp6len, code;
 {
+	struct mbuf *m = *mp;
 	struct icmp6_hdr *icmp6;
 	struct ip6_hdr *eip6;
 	u_int32_t notifymtu;
@@ -1089,6 +1090,7 @@ icmp6_notify_error(m, off, icmp6len, code)
 			    &ip6cp);
 		}
 	}
+	*mp = m;
 	return (0);
 
   freeit: