In ip_output(), the flow-table module must not try to cache L2/L3

information for interface of IFF_POINTOPOINT or IFF_LOOPBACK type.
Since the L2 information (rt_lle) is invalid for these interface
types, accidental caching attempt will trigger panic when the invalid
rt_lle reference is accessed.

When installing a new route, or when updating an existing route, the
user supplied gateway address may be an interface address (this is
particularly true for point-to-point interface related modules such
as ppp, if_tun, if_gif). Currently the routing command handler always
set the RTF_GATEWAY flag if the gateway address is given as part of the
command paramters. Therefore the gateway address must be verified against
interface addresses or else the route would be treated as an indirect
route, thus making that route unusable.

Reviewed by:	kmacy, julia, rwatson
Verified by:	marcus
MFC after:	3 days

1 files changed, 6 insertions, 0 deletions

diff --git a/sys/net/flowtable.c b/sys/net/flowtable.c
index 98127ed..22cab54 100644
--- a/sys/net/flowtable.c
+++ b/sys/net/flowtable.c
@@ -692,6 +692,12 @@ uncached:
 		struct rtentry *rt = ro->ro_rt;
 		struct ifnet *ifp = rt->rt_ifp;
 
+		if (ifp->if_flags & (IFF_POINTOPOINT | IFF_LOOPBACK)) {
+			RTFREE(rt);
+			ro->ro_rt = NULL;
+			return (ENOENT);
+		}
+
 		if (rt->rt_flags & RTF_GATEWAY)
 			l3addr = rt->rt_gateway;
 		else