arp: Fix a crash when dhcpcd forks or an interface removed

Because we try and free the ARP state when dhcpcd forks or an
interface is removed, the loop to work out the next state to free
could return invalid memory.
So test we have an ARP state each time we iterate and free.

diff --git a/src/arp.c b/src/arp.c
index c07fae257dcf6370211321707d4e58f9fcc7b404..49393f5a528aa6bec75c88cd30f7e9f8daef9db6 100644 (file)
--- a/src/arp.c
+++ b/src/arp.c
@@ -615,13 +615,9 @@ arp_drop(struct interface *ifp)
        struct iarp_state *state;
        struct arp_state *astate;
 
-       state = ARP_STATE(ifp);
-       if (state == NULL)
-               return;
-
-       while ((astate = TAILQ_FIRST(&state->arp_states)) != NULL) {
+       while ((state = ARP_STATE(ifp)) != NULL &&
+           (astate = TAILQ_FIRST(&state->arp_states)) != NULL)
                arp_free(astate);
-       }
 
        /* No need to close because the last free will close */
 }