From 16cd87e8a76884802896495eb0e39461d8303c0f Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Thu, 5 Jan 2017 16:03:35 +0100
Subject: [PATCH] dhcpv6-ia: fix dereference after freeing assignment

Fix assignment dereference by dhcpv6_log in case
the assignment is freed when nothing has been
assigned.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
---
 src/dhcpv6-ia.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/dhcpv6-ia.c b/src/dhcpv6-ia.c
index 4e30faa..4c077db 100644
--- a/src/dhcpv6-ia.c
+++ b/src/dhcpv6-ia.c
@@ -1051,7 +1051,7 @@ ssize_t dhcpv6_handle_ia(uint8_t *buf, size_t buflen, struct interface *iface,
 					((is_pd && c->length <= 64) || (is_na && c->length == 128))) {
 				a = c;
 
-				// Reset state
+				/* Reset state */
 				apply_lease(iface, a, false);
 				memcpy(a->clid_data, clid_data, clid_len);
 				a->clid_len = clid_len;
@@ -1151,10 +1151,11 @@ ssize_t dhcpv6_handle_ia(uint8_t *buf, size_t buflen, struct interface *iface,
 				a->accept_reconf = accept_reconf;
 				a->flags |= OAF_BOUND;
 				apply_lease(iface, a, true);
-			} else if (!assigned && a && a->managed_size == 0)
+			} else if (!assigned && a && a->managed_size == 0) {
 				/* Cleanup failed assignment */
 				free_dhcpv6_assignment(a);
-
+				a = NULL;
+			}
 		} else if (hdr->msg_type == DHCPV6_MSG_RENEW ||
 				hdr->msg_type == DHCPV6_MSG_RELEASE ||
 				hdr->msg_type == DHCPV6_MSG_REBIND ||
-- 
2.11.0