Unconditionally zero and free iproute. Before IPsec tunnel packets e.g.

from ICMP could end up in leaking the reference in iproute, as ipsec4_output would overwrite the ro pointer in state. Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318.
2007-01-13 23:13:46 +00:00 · 2007-01-13 23:13:46 +00:00 · 7645663790
parent 9c3107d24d
commit 7645663790
1 changed files with 5 additions and 7 deletions
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.173 2007/01/08 04:14:54 yamt Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.174 2007/01/13 23:13:46 joerg Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.173 2007/01/08 04:14:54 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.174 2007/01/13 23:13:46 joerg Exp $");

 #include "opt_pfil_hooks.h"
 #include "opt_inet.h"
@ -287,10 +287,9 @@ ip_output(struct mbuf *m0, ...)
 	/*
 	 * Route packet.
 	 */
-	if (ro == NULL) {
+	bzero(&iproute, sizeof(iproute));
+	if (ro == NULL)
 		ro = &iproute;
-		bzero((caddr_t)ro, sizeof (*ro));
-	}
 	dst = satosin(&ro->ro_dst);
 	/*
 	 * If there is a cached route,
@ -965,8 +964,7 @@ spd_done:
 	if (error == 0)
 		ipstat.ips_fragmented++;
 done:
-	if (ro == &iproute && (flags & IP_ROUTETOIF) == 0)
-		rtcache_free(ro);
+	rtcache_free(&iproute);

 #ifdef IPSEC
 	if (sp != NULL) {