From 7645663790fb704b226d629ca27b5c3d79cd364a Mon Sep 17 00:00:00 2001 From: joerg Date: Sat, 13 Jan 2007 23:13:46 +0000 Subject: [PATCH] Unconditionally zero and free iproute. Before IPsec tunnel packets e.g. from ICMP could end up in leaking the reference in iproute, as ipsec4_output would overwrite the ro pointer in state. Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318. --- sys/netinet/ip_output.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 9df2bc23c406..7bc08326c07b 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_output.c,v 1.173 2007/01/08 04:14:54 yamt Exp $ */ +/* $NetBSD: ip_output.c,v 1.174 2007/01/13 23:13:46 joerg Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.173 2007/01/08 04:14:54 yamt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.174 2007/01/13 23:13:46 joerg Exp $"); #include "opt_pfil_hooks.h" #include "opt_inet.h" @@ -287,10 +287,9 @@ ip_output(struct mbuf *m0, ...) /* * Route packet. */ - if (ro == NULL) { + bzero(&iproute, sizeof(iproute)); + if (ro == NULL) ro = &iproute; - bzero((caddr_t)ro, sizeof (*ro)); - } dst = satosin(&ro->ro_dst); /* * If there is a cached route, @@ -965,8 +964,7 @@ spd_done: if (error == 0) ipstat.ips_fragmented++; done: - if (ro == &iproute && (flags & IP_ROUTETOIF) == 0) - rtcache_free(ro); + rtcache_free(&iproute); #ifdef IPSEC if (sp != NULL) {