Fix more memory corruption

diff --git a/src/config.c b/src/config.c
index e45596592bbf15898682652cb3e801be78b31441..4aaded9f342e1b72c440956987bf6c4d6e8a8c35 100644 (file)
--- a/src/config.c
+++ b/src/config.c
@@ -532,7 +532,7 @@ void odhcpd_run(void)
 #endif
 
                // Evaluate hybrid mode for master
-               struct interface *master = NULL, *i;
+               struct interface *master = NULL, *i, *n;
                list_for_each_entry(i, &interfaces, head) {
                        if (!i->master)
                                continue;
@@ -557,7 +557,7 @@ void odhcpd_run(void)
                }
 
 
-               list_for_each_entry(i, &interfaces, head) {
+               list_for_each_entry_safe(i, n, &interfaces, head) {
                        if (i->inuse && !i->ignore) {
                                // Resolve hybrid mode
                                if (i->dhcpv6 == RELAYD_HYBRID)

diff --git a/src/router.c b/src/router.c
index bb7ddcd27e5c1f045ce90998f2fb96006a867f23..9258acf00869be69f2299daae87e91040239a8b3 100644 (file)
--- a/src/router.c
+++ b/src/router.c
@@ -352,7 +352,7 @@ static void send_router_advert(struct uloop_timeout *event)
                uint8_t pad2;
                uint32_t lifetime;
                uint8_t name[];
-       } *search = malloc(sizeof(*search) + search_padded);
+       } *search = alloca(sizeof(*search) + search_padded);
        search->type = ND_OPT_DNS_SEARCH;
        search->len = search_len ? ((sizeof(*search) + search_padded) / 8) : 0;
        search->pad = 0;
@@ -409,7 +409,6 @@ static void send_router_advert(struct uloop_timeout *event)
        struct sockaddr_in6 all_nodes = {AF_INET6, 0, 0, ALL_IPV6_NODES, 0};
        odhcpd_send(router_event.uloop.fd,
                        &all_nodes, iov, ARRAY_SIZE(iov), iface);
-       free(search);
 
        // Rearm timer
        int msecs;