Prevent icmp_reflect() from calling ip_output() with a NULL route

pointer which will then result in the allocated route's reference count never being decremented. Just flood ping the localhost and watch refcnt of the 127.0.0.1 route with netstat(1). Submitted by: jayanth Back out ip_output.c,v 1.143 and ip_mroute.c,v 1.69 that allowed ip_output() to be called with a NULL route pointer. The previous paragraph shows why this was a bad idea in the first place. MFC after: 0 days
author: ru <ru@FreeBSD.org> 2002-03-22 16:45:54 +0000
committer: ru <ru@FreeBSD.org> 2002-03-22 16:45:54 +0000
commit: cb4688c90eead16a0ff16654cec050f9ee06304b (patch)
tree: 0af413607ca5eca2f6e2c8d42cb082903ea99317 /sys/netinet/ip_mroute.c
parent: 054cce2c17eeea8f911e8082b3e38d5343409c96 (diff)
download: FreeBSD-src-cb4688c90eead16a0ff16654cec050f9ee06304b.zip
FreeBSD-src-cb4688c90eead16a0ff16654cec050f9ee06304b.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c
index 3249308..4847b6d 100644
--- a/sys/netinet/ip_mroute.c
+++ b/sys/netinet/ip_mroute.c
@@ -1867,6 +1867,7 @@ tbf_send_packet(vifp, m)
 {
     struct ip_moptions imo;
     int error;
+    static struct route ro;
     int s = splnet();
 
     if (vifp->v_flags & VIFF_TUNNEL) {
@@ -1885,7 +1886,7 @@ tbf_send_packet(vifp, m)
 	 * should get rejected because they appear to come from
 	 * the loopback interface, thus preventing looping.
 	 */
-	error = ip_output(m, (struct mbuf *)0, NULL,
+	error = ip_output(m, (struct mbuf *)0, &ro,
 			  IP_FORWARDING, &imo);
 
 	if (mrtdebug & DEBUG_XMIT)
author	ru <ru@FreeBSD.org>	2002-03-22 16:45:54 +0000
committer	ru <ru@FreeBSD.org>	2002-03-22 16:45:54 +0000
commit	cb4688c90eead16a0ff16654cec050f9ee06304b (patch)
tree	0af413607ca5eca2f6e2c8d42cb082903ea99317 /sys/netinet/ip_mroute.c
parent	054cce2c17eeea8f911e8082b3e38d5343409c96 (diff)
download	FreeBSD-src-cb4688c90eead16a0ff16654cec050f9ee06304b.zip FreeBSD-src-cb4688c90eead16a0ff16654cec050f9ee06304b.tar.gz