From 88ef993e5e9392eb8720450f6b48b3bd47153ca9 Mon Sep 17 00:00:00 2001 From: bmilekic Date: Sun, 4 Mar 2001 21:28:40 +0000 Subject: During a flood, we don't call rtfree(), but we remove the entry ourselves. However, if the RTF_DELCLONE and RTF_WASCLONED condition passes, but the ref count is > 1, we won't decrement the count at all. This could lead to route entries never being deleted. Here, we call rtfree() not only if the initial two conditions fail, but also if the ref count is > 1 (and we therefore don't immediately delete the route, but let rtfree() handle it). This is an urgent MFC candidate. Thanks go to Mike Silbersack for the fix, once again. :-) Submitted by: Mike Silbersack --- sys/netinet/in_pcb.c | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) (limited to 'sys/netinet') diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 019a6e0..45c13a4 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -562,19 +562,13 @@ in_pcbdetach(inp) * route deletion requires reference count to be <= zero */ if ((rt->rt_flags & RTF_DELCLONE) && - (rt->rt_flags & RTF_WASCLONED)) { - if (--rt->rt_refcnt <= 0) { - rt->rt_flags &= ~RTF_UP; - rtrequest(RTM_DELETE, rt_key(rt), - rt->rt_gateway, rt_mask(rt), - rt->rt_flags, (struct rtentry **)0); - } - else - /* - * more than one reference, bump it up - * again. - */ - rt->rt_refcnt++; + (rt->rt_flags & RTF_WASCLONED) && + (rt->rt_refcnt <= 1)) { + rt->rt_refcnt--; + rt->rt_flags &= ~RTF_UP; + rtrequest(RTM_DELETE, rt_key(rt), + rt->rt_gateway, rt_mask(rt), + rt->rt_flags, (struct rtentry **)0); } else rtfree(rt); -- cgit v1.1