The following reply was made to PR kern/37037; it has been noted by GNATS.

From: Darren Reed <darrenr@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/37037
Date: Sat, 29 Sep 2007 05:30:20 -0700

 In 4.0RC1, the code is:
 5057:                case IPFGENITER_NAT :
 5058:                        if (nextnat != NULL) {
 5059:                                if (nextnat->nat_next == NULL) {
 5060:                                        count = 1;
 5061:                                        freet = t;
 5062:                                        nat = NULL;
 5063:                                }
 5064:                                if (count == 1) {
 5065:                                      
  MUTEX_ENTER(&nextnat->nat_lock);
 5066:                                        nextnat->nat_ref++;
 5067:                                      
  MUTEX_EXIT(&nextnat->nat_lock);
 5068:                                }
 5069:                        } else {
 5070:                                bzero(&zeronat, sizeof(zeronat));
 5071:                                nextnat = &zeronat;
 5072:                                count = 1;
 5073:                        }
 5074:                        break;
 5075:                default :
 5076:                        break;
 5077:                }
 5078:                RWLOCK_EXIT(&ipf_nat);
 5079:
 5080:                if (freet != NULL) {
 5081:                        ipf_freetoken(freet);
 5082:                        freet = NULL;
 5083:                }
 ...
 5112:                case IPFGENITER_NAT :
 5113:                        if (nat != NULL)
 5114:                                fr_natderef(&nat);
 5115:                        t->ipt_data = nextnat;
 5116:                        error = COPYOUT(nextnat, dst,
 sizeof(*nextnat));
 ...
 
 Sofor the case when nextnat->nat_next == NULL, count gets set to 1,
 freet is assigned the value of t, that structure is freed and then on 5115
 it is deref'd again (memory use after free.)
 
 Darren