From d3824bd1abacde2396231c734ef46b5118f2cb37 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 6 Sep 2012 09:44:31 +0200
Subject: [PATCH] defrag: fix potential use after free.

Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.
---
 src/defrag.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/defrag.c b/src/defrag.c
index f78d5b19c5..0e017c677b 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -1042,16 +1042,17 @@ DefragTimeoutTracker(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
         tracker = HashListTableGetListData(next);
 
         if (tracker->timeout < (unsigned int)p->ts.tv_sec) {
+            int af_family = tracker->af;
             /* Tracker has timeout out. */
             HashListTableRemove(dc->frag_table, tracker, HASHLIST_NO_SIZE);
             DefragTrackerReset(tracker);
             PoolReturn(dc->tracker_pool, tracker);
             if (tv != NULL && dtv != NULL) {
-                if (tracker->af == AF_INET) {
+                if (af_family == AF_INET) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv4_timeouts,
                         tv->sc_perf_pca);
                 }
-                else if (tracker->af == AF_INET6) {
+                else if (af_family == AF_INET6) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv6_timeouts,
                         tv->sc_perf_pca);
                 }