using memory after freed in tcp_syncache (syncache_timer())

Sat Jun 28 18:20:02 PDT 2003

syncache_timer()
 ...
                /*
                 * syncache_respond() may call back into the syncache to
                 * to modify another entry, so do not obtain the next
                 * entry on the timer chain until it has completed.
                 */
                (void) syncache_respond(sc, NULL);
                nsc = TAILQ_NEXT(sc, sc_timerq);
                tcpstat.tcps_sc_retransmitted++;
                TAILQ_REMOVE(&tcp_syncache.timerq[slot], sc, sc_timerq);

so what happens is that syncache_respond() calls ip_output,
which ends up calling ip_input, which ends up doing something
that causes 'sc' to be freed. Now 'sc' is freed, we return
to syncache_timer(), and then we use it in nsc = TAILQ_NEXT(...)
line.

This particular part of the problem was introduced in
1.23 of tcp_syncache.c in response to another bug that i had
found.

Does anyone have a suggestion on a proper fix?