From 0a82fed57ce0102a401799da2fb82a8dd8c75b28 Mon Sep 17 00:00:00 2001
From: Shawn Routhier <sar@isc.org>
Date: Wed, 11 Jul 2012 14:50:35 -0700
Subject: [PATCH] [rt30024] This is a commit message Fix a pair of memory
 leaks.

---
 RELNOTES         | 6 ++++++
 common/options.c | 2 ++
 server/dhcpv6.c  | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/RELNOTES b/RELNOTES
index cb82c53da..05ffdbc06 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -78,6 +78,12 @@ work on other platforms. Please report any problems and suggested fixes to
   [ISC-Bugs #29852]
   CVE: CVE-2012-3570
 
+! A pair of memory leaks were found and fixed.  Thanks to
+  Glen Eustace of Massey University, New Zealand for finding
+  this issue.
+  [ISC-Bugs #30024]
+  CVE: CVE-2012-3954
+
 			Changes since 4.2.4rc2
 
 - None
diff --git a/common/options.c b/common/options.c
index 8cbb03752..eccaa244a 100644
--- a/common/options.c
+++ b/common/options.c
@@ -2403,6 +2403,8 @@ prepare_option_buffer(struct universe *universe, struct buffer *bp,
 
 	/* And let go of our references. */
       cleanup:
+	if (lbp != NULL)
+		buffer_dereference(&lbp, MDL);
 	option_dereference(&option, MDL);
 
 	return status;
diff --git a/server/dhcpv6.c b/server/dhcpv6.c
index eb86aeb0a..3ae86904f 100644
--- a/server/dhcpv6.c
+++ b/server/dhcpv6.c
@@ -1519,6 +1519,8 @@ lease_to_client(struct data_string *reply_ret,
 		packet_dereference(&reply.packet, MDL);
 	if (reply.client_id.data != NULL)
 		data_string_forget(&reply.client_id, MDL);
+	if (packet_oro.buffer != NULL)
+		data_string_forget(&packet_oro, MDL);
 	reply.renew = reply.rebind = reply.prefer = reply.valid = 0;
 	reply.cursor = 0;
 }
-- 
2.47.3