Prevent icmp_reflect() from calling ip_output() with a NULL route

pointer which will then result in the allocated route's reference
count never being decremented.  Just flood ping the localhost and
watch refcnt of the 127.0.0.1 route with netstat(1).

Submitted by:	jayanth

Back out ip_output.c,v 1.143 and ip_mroute.c,v 1.69 that allowed
ip_output() to be called with a NULL route pointer.  The previous
paragraph shows why this was a bad idea in the first place.

MFC after:	0 days

1 files changed, 4 insertions, 6 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index d46d984..f456456 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -123,12 +123,12 @@ ip_output(m0, opt, ro, flags, imo)
 	struct mbuf *m = m0;
 	int hlen = sizeof (struct ip);
 	int len, off, error = 0;
-	struct route iproute;
 	struct sockaddr_in *dst;
 	struct in_ifaddr *ia;
 	int isbroadcast, sw_csum;
 	struct in_addr pkt_dst;
 #ifdef IPSEC
+	struct route iproute;
 	struct socket *so = NULL;
 	struct secpolicy *sp = NULL;
 #endif
@@ -189,6 +189,9 @@ ip_output(m0, opt, ro, flags, imo)
 #ifdef	DIAGNOSTIC
 	if ((m->m_flags & M_PKTHDR) == 0)
 		panic("ip_output no HDR");
+	if (!ro)
+		panic("ip_output no route, proto = %d",
+		      mtod(m, struct ip *)->ip_p);
 #endif
 	if (opt) {
 		m = ip_insertoptions(m, opt, &len);
@@ -214,11 +217,6 @@ ip_output(m0, opt, ro, flags, imo)
 		hlen = IP_VHL_HL(ip->ip_vhl) << 2;
 	}
 
-	/* Route packet. */
-	if (ro == NULL) {
-		ro = &iproute;
-		bzero(ro, sizeof(*ro));
-	}
 	dst = (struct sockaddr_in *)&ro->ro_dst;
 	/*
 	 * If there is a cached route,