From 2ce17a724aa84434c321f9a9716f09156975e18c Mon Sep 17 00:00:00 2001
From: Ivan Delamer <delamer@inicotech.com>
Date: Wed, 26 Oct 2011 14:31:48 -0600
Subject: [PATCH] Fix bug #34526: nd6_queue_packet() frees too much if
 out-of-memory

Change-Id: Ib7ac0cb1b5a5389dd5449a908485493bd085ba9d
---
 src/core/ipv6/nd6.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/core/ipv6/nd6.c b/src/core/ipv6/nd6.c
index 54290ef5..4ad05279 100644
--- a/src/core/ipv6/nd6.c
+++ b/src/core/ipv6/nd6.c
@@ -1543,10 +1543,11 @@ nd6_queue_packet(s8_t neighbor_index, struct pbuf * q)
   if(copy_needed) {
     /* copy the whole packet into new pbufs */
     p = pbuf_alloc(PBUF_LINK, q->tot_len, PBUF_RAM);
-    if ((p == NULL) && (neighbor_cache[neighbor_index].q != NULL)) {
+    while ((p == NULL) && (neighbor_cache[neighbor_index].q != NULL)) {
       /* Free oldest packet (as per RFC recommendation) */
       r = neighbor_cache[neighbor_index].q;
       neighbor_cache[neighbor_index].q = r->next;
+      r->next = NULL;
       nd6_free_q(r);
       p = pbuf_alloc(PBUF_LINK, q->tot_len, PBUF_RAM);
     }
@@ -1570,6 +1571,7 @@ nd6_queue_packet(s8_t neighbor_index, struct pbuf * q)
       /* Free oldest packet (as per RFC recommendation) */
       r = neighbor_cache[neighbor_index].q;
       neighbor_cache[neighbor_index].q = r->next;
+      r->next = NULL;
       nd6_free_q(r);
       new_entry = (struct nd6_q_entry *)memp_malloc(MEMP_ND6_QUEUE);
     }